|
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Y2K Virus Information Even though most
companies have gotten through the Millennium Bug, there are loads of new
viruses out there just to mark the new millennium. So how do you know
what one you have (if you get one) and what properties it displays? Here
is a listing of those new viruses and their properties. For more
information then check out the Computer
Associates Website.
Felix.Trogan Virus
Computer Associates International, Inc. (CA) today
warned computer users of a new Portuguese "Happy New Year"
Trojan called "Feliz.Trojan." Trojans are destructive programs
that disguise themselves as benign applications. Unlike viruses, Trojans
do not replicate themselves, but they can be just as destructive. CA provides detection for the Trojan, which when
started, will immediately delete the following files: system.dat After deleting these files it will display a bitmap of
an ugly looking face entitled "FELIZ ANO NOVO!!!" ("Happy
New Year" in English). When the user presses EXIT, the Trojan will
display a number of message boxes in Portuguese and exit. The computer
may not be able to boot following that. The Windows installation directory
("C:\windows") is hard coded in the Trojan body and the Trojan
will not cause any harm if Windows is installed in an other directory. CA's InoculateIT signature 7.73 provides detection for
Feliz.Trojan. "This Trojan indicates that the threats from
virus/Trojan writers continues," said Simon Perry, CA's security
business manager. "As desired by our clients, CA will continue to
provide up-to-date warnings as these threats emerge and strongly
recommends that computer users maintain their antivirus solutions with
the latest available signature files." "ARMAGIDON"
Virus
Computer Associates International, Inc. (CA) today
warned computer users of a new Word macro virus called "Armagidon".
CA provides detection for the virus, which infects Word documents.
"Armagidon" spreads through traditional
means such as emails, shared drives, and floppy disks. Infected
documents contain two macros: "Document_Open" and "Document_New",
which are stored in the class module "ThisDocument". Infected
templates contain an additional macro module containing eleven macros:
Auto_Exec, Auto_Exit, ToolsOptions, ToolsMacro, FileTemplates,
ViewVBCode, Organizer, ToolsRecordMacroStart, ToolsRecordMacroToggle,
FileSave, and FilePrint.
When an infected document is opened, the code from the
"Document_Open" macro is executed, enabling "Armagidon"
to infect the normal template. The virus uses a temporary file called
"armagidon.bas" to create the macro module "Armagidon".
On May 8th, Red Cross Day, the virus replaces the Windows mouse pointer
with the Red Cross symbol.
Upon execution of the "FilePrint" function,
a more dangerous payload is triggered which replaces one non-standard
ASCII character with another.
"As IT professionals around the world focus on
their technology environments, CA will continue to notify our clients of
new viruses as we detect them," said Simon Perry, CA's Security
Business Manager. "We have received very positive feedback
concerning this proactive approach and will continue to provide an
unparalleled level of notification to help protect our clients'
environments." "WSCRIPT/KAK"
Worm
Computer Associates International, Inc. (CA) today
warned computer users of a new worm named "Wscript/Kak". CA
provides detection for the worm, which infects Windows98 systems. Though
"Wscript/Kak" has been reported in the wild, the worm requires
a very specific environment to exist before infection and spread can
occur.
"Wscript.Kak" spreads through e-mail using
Outlook Express 5.0 on Windows98 systems only. The worm will infect
Windows98 systems running Outlook Express 5.0 even if users don't open
any attachments from the infected mail.
Once a user receives the infected HTML email, the
hidden (embedded) script code will be executed without prompting the
user if the Internet Explorer 5 security settings are set to medium or
low. "Wscript.Kak" uses a known Internet Explorer 5 exploit to
write its code in the Windows startup directory as "Kak.HTA".
Additionally, it writes parts of its code to "Kak.HTM" and
creates a copy of itself in the System directory, which will be
registered under the following registry key:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\cAgOu"
This causes repeated execution when Windows is
started.
The worm then searches for installed
"Identities" in Outlook Express 5.0 and changes their registry
settings to (re)assign the default signature for composed mails to it's
"C:\Windows\Kak.HTM". Only systems where the "User
Identity" is not at the default setting will be affected. Once the
signature settings have been changed, "Wscript.Kak" will
attach it's Script code to every email sent by the user.
During execution the worm checks the system date and
time. If the day comes first and the hour setting is greater than 17, an
alert box with the following message will be displayed:
"Kagou-Anti-Kro$oft says not today !"
The worm then attempts to shut down Windows.
"Though this virus isn't Y2K-related, its
discovery further confirms that hackers will exploit user fears
throughout the Y2K changeover," said Simon Perry, security business
manager at CA. "Since the user doesn't even have to open the
attachment for the worm to be executed, this has the potential to spread
rapidly and quietly. CA is urging both business and home users to be
conscientious in deploying powerful and reliable antivirus software to
protect their systems." For the latest protection
against these viruses and worms then head over to http://antivirus.cai.com
.
This
site is not related to the Microsoft Corporation in any way. Windows
and the Windows logo are trademarks of the Microsoft
Corporation. ActiveWindows is an independent site. The information
and sources here are obtained from series of hard work & research. |
