[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

New Virus Worms affecting Microsoft E-Mail products. (From F-Secure)



PureBytes Links

Trading Reference Links

This press release comes from F-Secure. For more 
information on F-Secure's mailing list policy, 
see end of message.

Press release

F-SECURE CORPORATION WARNS OF TWO NEW WIDESPREAD COMPUTER WORMS

Irok and Kak worms spreading globally


Espoo, Finland, March 30, 2000 - F-Secure Corporation, a leading provider
of centrally-managed, widely distributed security solutions, is warning
computer users about two new e-mail worms that are currently spreading
rapidly in several locations around the world. The Irok and Kak worms both
spread via e-mail as electronic chain letters, much like the infamous
Melissa virus did exactly one year ago. F-Secure Anti-Virus will protect
users against these new threats.

Technically, the Irok and Kak worms operate in very different ways, but
both spread via Microsoft Outlook e-mail and are very widespread right now.
The biggest difference to the end user is that Irok arrives in an
attachment called IROK.EXE while Kak arrives in a normal e-mail which
apparently has no attachment at all.

Both worms are only a threat to Microsoft Windows users and both worms only
spread further via the Microsoft Outlook e-mail application.

The Irok worm spreads as a 10001-byte sized program called IROK.EXE. It
works under Microsoft Windows 95, 98, NT and 2000. It replicates further
via e-mail if Microsoft Outlook is available. It does not work with Outlook
Express.

When IROK.EXE is executed, the worm modifies the system so that during next
time the machine is started, the worm will send an e-mail message to 60
e-mail addresses found in Outlook's address books. These addresses can be
addresses of individual people or group addresses (such as mailing lists).

The message that the worm spreads itself with looks as follows:

  From: (name of the infected user)
  To: (random e-mail address from address book) 
  Subject: I thought you might like to see this.

  Text: I thought you might like this. I got it from paramount pictures
website. It's a startrek screen saver.

  Attachment: IROK.EXE

The virus also tries to locate the mIrc chat client and will attempt to
modify it to spread the virus further via chat channels, and it infects COM
and EXE program files found on the local hard drive. 

Eventually, the virus will display a long message on the screen and will
try to overwrite files on the hard drive.

The Kak worm is written in Javascript. It works under English and French
versions of Windows 95/98; it does not work under Windows NT or Windows
2000. Kak replicates further via e-mail only if Outlook Express 5.0 is
installed - it does not work with normal Microsoft Outlook.

The worm uses a known security vulnerability in Outlook Express to execute
automatically when e-mail is viewed. Once the user receives an infected
email message, and opens or views the message in the preview pane, the worm
modifies the system in such a way that the next time the machine is
started, the standard e-mail signature of the user is replaced with a HTML
file infected by the virus.

As a result, every e-mail message after that will contain the worm and will
infect the recipient's machine as soon as it is opened in Outlook Express.

The Kak worm activates on the first day of each month if the machine is
restarted after 5 pm. At this time the virus will show this message: 

    Kagou-Anit-Kro$oft say not today!

After this, the worm will shut down Windows, but no permanent damage is done.

The Outlook Express security hole exploited by this worm can be closed by
disabling "Active Scripting" in Outlook Express Preferences. Microsoft
[NASDAQ: MSFT] has also done an update to fix this problem. The update has
been available since August 1999.

"It is disturbing to see that virus writers continue to harass innocent
bystanders with their creations," says Mikko Hypponen, Manager of
Anti-Virus Research at F-Secure Corporation. "The virus writers have
absolutely nothing to gain and everything to lose by writing these things.
Obviously they learnt nothing from what happened to the author of Melissa."

Mr. David L. Smith, the alleged author of the Melissa e-mail worm that went
around the world year ago (on March 28, 1999), has pleaded guilty to a
second-degree charge of computer theft in December 1999 in New Jersey
Superior Court. He faces a five to ten year prison term and up to a
$150,000 fine.

Both Irok and Kak worms can be stopped with up-to-date anti-virus software.
F-Secure Corporation has added detection of these worms to the latest
version of F-Secure Anti-Virus.

Free evaluation copies of F-Secure Anti-Virus are available at: 

http://www.F-Secure.com/gallery/

Further technical information and screenshots of the worms are available at:
http://www.F-Secure.com/virus-info/v-pics/

About F-Secure Corporation 

F-Secure Corporation  is a leading developer of centrally managed, widely
distributed security solutions. The company offers a full range of
award-winning, integrated anti-virus, file encryption and VPN solutions for
workstations, servers and gateways. F-Secure Corporation  products and
Framework are uniquely suited for delivery of Security as a Service™ by
enterprise IT departments as well as a wide range of partners including
ISPs, outsourcing firms and ASPs. For the end-user, Security as a Service
is invisible, automatic, reliable, always-on, and up-to-date. For the
administrator, Security as a Service means policy-based management, instant
alerts, and centralized management of a widely-distributed user base.  

Founded in 1988, F-Secure Corporation is listed on the Helsinki Stock
Exchange (HEX: FSC). The company is headquartered in Espoo, Finland with
North American headquarters in San Jose, California, as well as offices in
Canada, Germany, China, France, Japan and the United Kingdom. F-Secure
Corporation is supported by a network of VARs and Distributors in over 90
countries around the globe.

For more information, please contact

Finland:
F-Secure Corporation
Mr. Mikko Hyppönen, Manager, Anti-Virus Research.
PL 24
FIN-02231 ESPOO
Tel +358 9 8599 0513
Fax +358 9 8599 0599
E-mail: Mikko.Hypponen@xxxxxxxxxxxx

USA:
F-Secure Inc.
Mr. Dan Takata, Manager, Training Division, Professional Services
675 N. First Street, 8th Floor
San Jose, CA 95112
Tel. +1 408 938 6700, 
Fax  +1 408 938 6701 
e-mail Dan.Takata@xxxxxxxxxxxx

http://www.F-Secure.com/


Mailing list policy

You have previously expressed interest in our products, or have asked
to be included on one of our press release lists by personally giving us
your e-mail address for this purpose.Our mailing list are for the
exclusive use and the expressed purpose of F-Secure and are not
sold or or given to third parties.

If you no longer wish to receive our press releases, or your email address 
has been added to our lists without your consent, you can unsubscribe at 
http://www.F-Secure.com/news/subscribe.html

If you only wish to receive our press releases concerning viruses, 
please go to 
http://www.F-Secure.com/news/subscribe.html
and first unsubscribe from 
press-english-interest@xxxxxxxxxxxxxxxxxx
and then subscribe to 
press-english-virus-announcement@xxxxxxxxxxxxxxxxxx