New Virus Hoaxes reported to Symantec

02-12-01:

S E C U R I T Y   A L E R T H   I   G   H       R   I   S   K
VBS_Kalamar.A "Anna Kournikova" virus seen in the wild and spreading rapidly. Solutions available for
Corporate users | Home users

12-11-00:

From Zone Labs (www.zonelabs.com), a new damaging (verified) virus. 
Meet the Sonic Worm - The not-so-cuddly gift you don't want to give (or receive) this Christmas. http://www.zonelabs.com/newsletter/worm1200_oldSBM.htm

To be safe, run FREE House Call each week for free from Trend Micro: www.antivirus.com.
And, get free Inoculate IT! from Computer Associates. www.cai.com  

FROM: Laurie Loeb, 10/28/00: I thought you would be interested in knowing about this computer virus...

Virus Name: JS/Kak.worm.a

Virus Characteristics:
This worm was first discovered by AVERT in October 1999 and added
detection for it within 4051 DAT updates. Virus Patrol, a newsgroup
scanning program from NAI, continues to identify occurrences of this
Internet worm in newsgroup postings which is an indication that worm is
continuing to spread. AVERT recommends adding ".HT?" to file
extensions scanned for protection, and also ensure users have installed
the security patch from Microsoft mentioned below.
Another dangerous aspect of this Internet worm is the ability to
continuously re-infect yourself if the preview pane is enabled and you browse between folders specifically the "sent" folder which happens to contain the Internet worm within a message. This is another strong reason to update to the security patch, if not already.*
This is an Internet worm which uses JavaScript and an ActiveX control,
called "Scriptlet Typelib", to propagate itself through email using MS
Outlook Express. This worm consists of 3 components, an HTA file (HTML Application), a REG file (Registration Entries Update) and a BAT file (MS-DOS Batch).
Then an e-mail or newsgroup message infected by this worm is opened by a reader which supports Javascript in HTML, the script checks to see if MS Internet Explorer 5 or higher is installed. If it is, using an ActiveX
exploit known as "Scriptlet TypeLib", the script writes the KAK.HTA file
to the Startup folder of the local machine. This will launch the code
embedded in the HTA file at the next Windows startup. Microsoft has
published a security update which addresses this ActiveX exploit and users are encouraged to update their systems with this component. With this update installed, users are questioned if they wish to run the ActiveX control which "might be unsafe", or more details on this vulnerability and to obtain a patch from Microsoft, see this link
http://www.microsoft.com/security/bulletins/ms99-032.asp">Microsoft Security Bulletin
or current security bulletins from Microsoft, see this link:
http://www.microsoft.com/security/bulletins/current.asp">Current Bulletins
mail messages written in HTML format will be coded with the Internet worm on infected systems due to the default signature modification on infected systems. The email application Outlook is a target of this Internet worm for propagation due to its support for HTML format messages. If an email message is coded with the worm code and it is allowed to run, files are written to the local machine in different locations-
:\windows\kak.htm<BR>c:\windows\system\(name).hta
ak.hta is written to either folder:<BR>French Windows<BR>c:\windows\Menu
D&amp;amp;amp;#233marrer\Programmes\D&amp;amp;amp;#233marrage\
nglish Windows<BR>c:\windows\Start Menu\Programs\StartUp\
n the above list, "(name)" is a seemingly random 8 character name (e.g.
98278AE0.HTA) however it is related directly to a registry entry. This worm first copies the original AUTOEXEC.BAT file to AE.KAK. Then the AUTOEXEC.BAT file is modified to overwrite the file KAK.HTA and then delete it from the StartUp folder. The system registry is also modified when the script executes a shell registry update using regedit and the REG
file written to the local system. The registry modification is this-
KLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RuncAg0u =
"C:\WINDOWS\SYSTEM\(name).hta"
The entry "(name)" is an 8 character name (e.g. 98278AE0.HTA). The email spreading method is possible by a registry modification which adds a signature to MS Outlook. The signature is set to include the file "C:\WINDOWS\kak.htm" and is set as the default signature such that the worm is spread on all outgoing email if the signature is included. Finally this worm also has a payload which is date activated.   In the 1st of the month, and beginning from 6PM local time, a message is displayed:
Kagou-Anti-Kro$oft says not today!"

To check your system for this virus, and to learn how to protect yourself from computer viruses, visit the McAfee PC Clinic at
http://clinic.mcafee.com.

This email was sent to you by Laurie Loeb

Symantec Anti Virus Research Center http://www.sarc.com/   

Hoax warnings  http://www.datafellows.com/virus-info/hoax/

This page is considered the industry standard information source for new virus hoaxes and false alerts. Bookmark now.

Do note that we generally add only virus-related hoaxes to this list. We can not evaluate whether non-computer related folklore stories are urban legends or true stories. We're not going to add them to this list either. Check http://www.urbanlegends.com for general urban legends.