Script virus looks to ring in new year
Robert Lemos, ZDNet

On Saturday, Computer Associates International Inc. (NYSE:CA - news) released an alert warning users of Wscript.Kak, a worm that spreads via systems that use both Microsoft Windows 98 and Microsoft Outlook Express 5.0 e-mail client.

"From a risk perspective this is fairly low. You have to send an e-mail for it to spread," said Simon Perry, security business manager at CA in an interview with ZDNN on Saturday. "A self-propagating virus, like Melissa, will spread itself to several others automatically and by the nature of the propagation you get a threat."

While the Melissa macro virus, which struck thousands of companies last March, required the user to open an attachment, one that had occurred, the virus spread exponentially.

Like Melissa, Wscript.Kak does not appear to do any damage to systems, but merely spreads itself by attaching a copy of the virus onto every e-mail that a users sends. That makes it a potential nuisance, at worst. The systems of corporate and home users that have turned off scripting -- a recommended strategy after the appearance of BubbleBoy two months ago -- will not be infected.

... the statement seemed somewhat ironic, since the lack of a malicious payload or any mention of it by other anti-virus firms suggested that CA itself is capitalizing on those fears.

Perry told ZDNN that a CA client found the worm, so that even though the virus has been classified as "low risk," the company believed publicizing it was the best course.

Has potential to spread
One aspect of the worm that could lead to its spreading quickly is that users don't have to click on an attachment to trigger the malicious code. If a user's Internet Explorer security settings are set to low or medium, the worm will infect the system without any user action, said the company.

The worm will then go on to change the signature settings of the user's mail to its own and then attach itself to every e-mail message the user subsequently sends. Users who have the Windows Scripting Host option turned off will not be susceptible to this, or any, scripting virus.

After infecting the computer, the worm will shut down Windows. After reboot, the worm will be running in the background, waiting to infect every e-mail the user sends out. Otherwise, CA doesn't report any malicious payload in the virus.

Trojan.Kill more destructive
Earlier this week, CA reported another virus distributed through pirated copies of Windows 98 operating systems. The virus, known as Trojan.Kill, could wipe out information saved on computers when their dates roll past Jan. 1.

"Since Trojan.Kill is directly related to Y2K and carries a destructive payload, we're concerned about the damage it can do," said Perry.

"Obviously this virus is specifically targeted at illegal software, and Computer Associates strongly recommends that all software deployed either in the business environment or for home use is a legal copy," Perry said in a statement.

Spread through traditional means such as e-mail, shared drives or floppy disks, Trojan.Kill hides behind a setup file called "Instalar.exe."

Back To The Study