Iris Virus - and fixer-upper

To: d*@badbear.com, j*@ix.netcom.com, j*@hotmail.com, i*@onelist.com
Subject: [iris-photos] Iris Virus - and fixer-upper
From: x*@aol.com
Date: Wed, 5 Apr 2000 20:16:45 EDT

On AOL member services they have an "online safety & 
security"/Virus/chatboard.  I asked about the iris virus(so to speak).  Here 
is what they said. 

Current virus engines can detect and remove this worm.  Here are the 
specifics.  

Virus name: WScript.Kak.worm.  Added 12/31/99, Characteristics:  Virus patrol 
continues to identify more occurrences of this Internet worm in newsgroup 
postings which is an indication that this is spreading further.  This worm 
was first discovered by AVERT in December and added detection for it within 
4051 DAT updates.  AVERT rercommends ADDING ".HTA" to file extensions scanned 
for protection, and also ensure users have INSTALLED THE SECURITY PATCH FROM 
MICROSOFT MENTIONED BELOW.

Another dangerous aspect of this internet worm is the ability to continuously 
re-infect yourself if the PREVIEW PANE IS ENABLED and you browse between 
folders specifically the "sent" folder which happens to contain the Internet 
worm within a message.  This is another strong reason to UPDATE TO THE SECURIT
Y PATCH, if not already*

This is an Internet worm which uses ActiveX and Windows Scripting Host to 
propogate itself through email using MS Outlook Express 5.  This worm 
consists of 3 components, an HTA file (HTML for Applications), a REG file 
(Registration Entries Update) and a BAT file (MS-DOS Batch).

The method used to integrate these components is to have first composted an 
email message in HTML which supports scripting.  Using an ActiveX exploit 
known as "Scriptlet TypeLib", the script writes an HTA file to the local 
machine, typically in the startup folder.  This will launch the code embedded 
in the HTA file at the next Windows startup.  Microsoft has published a 
security update which addresses this ActiveX exploit and users are encouraged 
to update their systems with this component.  With this update installed, 
users aer questioned if they wish to run the ActiveX control which is marked 
"safe for scripting".

Okay, now, I got the expert's advice.  Somebody tell me in plain English what 
I'm supposed to do here to fix the problem???.  Elaine Ferris, filling in for 
Richard.

------------------------------------------------------------------------
LOW RATE, NO WAIT!
Get a NextCard Visa, in 30 seconds!  Get rates 
as low as 2.9% Intro or 9.9% Fixed APR and no hidden fees. 
Learn more at:
http://click.egroups.com/1/937/0/_/503733/_/954980262/
------------------------------------------------------------------------

Prev by Date: [PHOTO] i. purpureobractea
Next by Date: Re: Neomarica
Prev by thread: Re: : SA Seedling
Next by thread: [PHOTO] i. purpureobractea

Other Mailing lists | Author Index | Date Index | Subject Index | Thread Index