10 May 2008
"In association with Amazon.co.uk"
Software
Now is a good time to to purchase your
Anti-Virus software.
(Click on image
above to be taken to Amazon)
Do you want to know more?
FABav FAQ
Books
Get the most out of your Anti-Virus software
covers all aspects of computer viruses - analysis, virus defenses, strategy
AntiVirus Rapid Reaction Zone
WScript.Kak.Worm 
Warning new worm named "Wscript.Kak.Worm" has been released and mututions observered. FAB provides detection and removal software for the worm, which infects Windows systems. Though we have seen the virus in the wild, the worm requires a very specific environment to exist before infection and spread can occur.
"Wscript.Kak" spreads through e-mail using Outlook Express 5.0 on Windows 95 and 98 systems. The worm will infect Windows systems running Outlook Express 5.0 even if users don't open any attachments from the infected mail.
Once a user receives the infected HTML email, the hidden (embedded) script code will be executed without prompting the user if the Internet Explorer 5 security settings are set to medium or low. "Wscript.Kak" uses a known Internet Explorer 5 exploit to write its code in the Windows startup directory as "Kak.HTA". Additionally, it writes parts of its code to "Kak.HTM" and creates a copy of itself in the System directory and gives itself a random name with an .HTA file extension, and will be registered under the following registry key:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\cAgOu"
This causes repeated execution when Windows is started.
The worm then searches for installed "Identities" in Outlook Express 5.0 and changes their registry settings to (re)assign the default signature for composed mails to it's "C:\Windows\Kak.HTM". Only systems where the "User Identity" is not at the default setting will be affected. Once the signature settings have been changed, "Wscript.Kak" will attach it's Script code to every email sent by the user.
In addition it will add an entry in the autoexec.bat file after first making a copy and naming ae.kak the entries are as follows:
@echo off>c:\Windows\starm~1\programs\startup\kak.hta
del
c:\windows\start~1\programs\startup\kak.hta
During execution the worm checks the system date and time. If the day comes first and the hour setting is greater than 17, an alert box with the following message will be displayed:
"Kagou-Anti-Kro$oft says not today !"
The worm then attempts to shut down Windows.
"Since the user doesn't even have to open the attachment for the worm to be executed, this has the potential to spread rapidly and quietly. FAB is urging both business and home users to be conscientious in deploying powerful and reliable antivirus software to protect their systems."
Detection, Removal and Prevention
Detection, Removal and prevention from re-infection of this virus is a simple process:
Firstly Download and run our AntiVirus software FABav by clicking the link below. Hit the detect button to see if your system is infected, if it is then click the clean button to remove the virus and restore registry settings. Secondly download and run the Outlook Express 5.0 patch which will fix the security hole in the program. Thirdly and most importantly tell everyone you know about FAB IT Solutions' great range of products and services and where to find FABav the Wscript worm killer.
Terms of use for FABav: You are free to use this product for personal use, you may not sell, loan, reverse engineer or deconstruct this program unless with express permission of FAB IT Solutions. Usage of this product is at your own risk, no warranties are given or implied. FAB IT Solutions will not be responsible for any damage caused by the use or misuse of this program. Download of the program will be considered acceptance of these terms. This program is designed to be used with Outlook Express 5.0 running on Windows98 only.
To Download the program:
FABav and the Outlook Express security eyedog patch are available by clicking the link below. If you have and problems with downloading or with the software in general then visit our frequently asked questions page
|
Head Office - 56 Castle Hill Road - Hastings - East Sussex - TN34 3RH. United Kingdom |
||
|
|
|
