|
PureBytes Links
Trading Reference Links
|
This press release comes from F-Secure. For more
information on F-Secure's mailing list policy,
see end of message.
Press release
F-SECURE CORPORATION WARNS OF TWO NEW WIDESPREAD COMPUTER WORMS
Irok and Kak worms spreading globally
Espoo, Finland, March 30, 2000 - F-Secure Corporation, a leading provider
of centrally-managed, widely distributed security solutions, is warning
computer users about two new e-mail worms that are currently spreading
rapidly in several locations around the world. The Irok and Kak worms both
spread via e-mail as electronic chain letters, much like the infamous
Melissa virus did exactly one year ago. F-Secure Anti-Virus will protect
users against these new threats.
Technically, the Irok and Kak worms operate in very different ways, but
both spread via Microsoft Outlook e-mail and are very widespread right now.
The biggest difference to the end user is that Irok arrives in an
attachment called IROK.EXE while Kak arrives in a normal e-mail which
apparently has no attachment at all.
Both worms are only a threat to Microsoft Windows users and both worms only
spread further via the Microsoft Outlook e-mail application.
The Irok worm spreads as a 10001-byte sized program called IROK.EXE. It
works under Microsoft Windows 95, 98, NT and 2000. It replicates further
via e-mail if Microsoft Outlook is available. It does not work with Outlook
Express.
When IROK.EXE is executed, the worm modifies the system so that during next
time the machine is started, the worm will send an e-mail message to 60
e-mail addresses found in Outlook's address books. These addresses can be
addresses of individual people or group addresses (such as mailing lists).
The message that the worm spreads itself with looks as follows:
From: (name of the infected user)
To: (random e-mail address from address book)
Subject: I thought you might like to see this.
Text: I thought you might like this. I got it from paramount pictures
website. It's a startrek screen saver.
Attachment: IROK.EXE
The virus also tries to locate the mIrc chat client and will attempt to
modify it to spread the virus further via chat channels, and it infects COM
and EXE program files found on the local hard drive.
Eventually, the virus will display a long message on the screen and will
try to overwrite files on the hard drive.
The Kak worm is written in Javascript. It works under English and French
versions of Windows 95/98; it does not work under Windows NT or Windows
2000. Kak replicates further via e-mail only if Outlook Express 5.0 is
installed - it does not work with normal Microsoft Outlook.
The worm uses a known security vulnerability in Outlook Express to execute
automatically when e-mail is viewed. Once the user receives an infected
email message, and opens or views the message in the preview pane, the worm
modifies the system in such a way that the next time the machine is
started, the standard e-mail signature of the user is replaced with a HTML
file infected by the virus.
As a result, every e-mail message after that will contain the worm and will
infect the recipient's machine as soon as it is opened in Outlook Express.
The Kak worm activates on the first day of each month if the machine is
restarted after 5 pm. At this time the virus will show this message:
Kagou-Anit-Kro$oft say not today!
After this, the worm will shut down Windows, but no permanent damage is done
|