Thanks Mike D, that explains it thoroughly. I should have realized that there's more than one type of virus. (When I said "what an ugly bug" I meant the caricature of a screeching bug in McAfee's sudden pop-up warning window.)
In any event I did not mean to convey that we should not take every possible preventive measure ourselves rather than saddle you with it. Like everyone else I do thank you for making this list possible. Brita. ----- Original Message ----- From: "M. G. Devour" <[email protected]> To: <[email protected]> Sent: Sunday, March 25, 2001 8:36 AM Subject: CS>Virus Alerrt -- List Owner Analysis > Brita wrote: > > I thought Mike D had put in a fix for it already. Yikes, what an ugly > > bug showed up on my screen. But not for long. > > Okay, it took me a while to find out where this bug came from. Yes, it > was the post from Nancy, [email protected], to the "Personal > Experience Update" thread. > > The bug is an embedded Visual Basic script in the HTML portion of > Nancy's e-mail. > > She's using Microsoft Outlook Express and has HTML formatting turned > on. This allows Outlook to embedd one copy of the message in one part > of the MIME multipart message, labeled "Content-Type: text/plain" ... > > ... followed by another copy of her message identified as > "Content-Type: text/html" ... this one formatted in HTML, which adds > *LOTS* of size and no informational value to her message, but allows > her to use bold, italics, various fonts and character sizes, colors > and whatever, if she chooses. > > Unfortunately, HTML formatting also permits the message to contain an > executable script, embedded invisibly right along with the text of her > message, contained within <script>... </script> tags. Everything in > between appears to my untrained eye to be a Visual Basic Script > ActiveX control which seems, at least, to modify autoexec.bat and add > lines to the registry. > > I also understand from further study that it mucks around with Outlook > Express settings as well, making a copy of itself the default signature > file for messages you send out using Outlook, thus assuring its > propagation to other systems. > > You can get more info about this worm at the following URL: > > http://www.antivirus.com/pc-cillin/vinfo/ > > Kakworm is one of the "top 10 viruses" in the list, or you can enter > kakworm.a in the search window... > > Brita wrote: > > I thought Mike D had put in a fix for it already. > > I've blocked parts of a multipart message which contain executables, > batch files, scripts and the like. I haven't done anything to block > embedded scripts like this. In fact it's the first example I've seen of > the fabled "malicious HTML" they've always warned us about. > > I didn't get the bug because my mail reader always asks if I want to > view HTML messages in the browser or as plain text. I always choose > text. Outlook Express users are not so lucky, as the default > configuration displays the message in the "preview" window, which, due > to a gaping security flaw, actually allows the script to execute and > infect the system. > > I believe that the most current updates to Outlook Express and > Internet Explorer plug this security hole, but everybody who has *not* > visited the Microsoft Update web site on a regular basis is still > vulnerable (which I imagine is most people). > > Can anybody give us concise instructions for upgrading our security > settings to make it less likely to catch this sort of bug? > > I'll start doing some digging to see if I can find or build a procmail > script to strip out embedded scripts from HTML, or maybe tackle the > job of dumping HTML entirely, tho that's a whole 'nuther level of > complexity, so I hear, given the inglorious profusion of incompatible > variations on all the standards. > > Once again, this foolishness is brought to you by the highly competent > and skilled programmers at Microsoft... <sigh> > > Be well, > > Mike Devour > silver-list owner > > [Mike Devour, Citizen, Patriot, Libertarian] > [[email protected] ] > [Speaking only for myself... ] > > > -- > The silver-list is a moderated forum for discussion of colloidal silver. > > To join or quit silver-list or silver-digest send an e-mail message to: > [email protected] -or- [email protected] > with the word subscribe or unsubscribe in the SUBJECT line. > > To post, address your message to: [email protected] > Silver-list archive: http://escribe.com/health/thesilverlist/index.html > List maintainer: Mike Devour <[email protected]> >
