Here is an actual snippet from a wscript kak worm I got today: - An
obviously inoperable small snippet, to help illustrate how to block it... $
are NOT in the original... just there to prevent those who already have a
rule in place from trashing this note. It came from one of my client's
distributors in Kenya, who uses MS Outlook of course.
<SCRIPT><!--
function sErr(){return =
true;}window.onerror=3DsErr;scr.Reset();scr.doc=3D"Z<HTML><HEAD><TITLE>Dr=
iver Memory Error</"+"TITLE><H$T$A:APPLICATION ID=3D\"hO\" =
WINDOWSTATE=
My rule is
B~hta:virusbox
and it does catch this. Not too many occurences of that letter sequence in
the English language at least... so I have not got false triggers. Note
that there are a zillion variations of KAK so if you filter on a long piece
of code or anything other than the executable identifier... you will
probably only block one particular strain.
Opinions re the above rule welcomed!
http://vil.nai.com/villib/dispVirus.asp?virus_k=10509 for details on the
virus.
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
