Hmnn, interesting. Actually, I had my email client (I use Pegasus, which doesn't generally suffer from the same vulnerabilities as the MS stuff) use plain text mode. The only thing I can think of that may have caused the RTF to be included is that I used cut & paste when I copied the info from the Trend Micro web site. Pegasus is a little flaky in this regard. I did notice after I sent the message that the hyperlinks (the {HYPERLINK "glossary.asp" \l "solution"}stuff) had been translated into text, which surprised me since these should have been left as literals.
In any case, it was RTF not HTML, which is the vector for the previously referenced viruses. I'm not aware of any viruses currently afield which can hook you via RTF. Sorry if I caused you any concern.
-Wes
Date forwarded: Thu, 8 Jun 2000 15:49:59 -0700
From: "Anthony Gades" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: RE: Viruses on the List (How to Fix)
Date sent: Thu, 8 Jun 2000 15:25:56 -0700
Forwarded by: [EMAIL PROTECTED]
Send reply to: [EMAIL PROTECTED]
> You sent this message in rtf format -
>
> -tony gades
>
>
>
> -----Original Message-----
> From: Wes Neuenschwander [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, June 08, 2000 09:26
> To: [EMAIL PROTECTED]; bhtrading
> Subject: Re: Viruses on the List (How to Fix)
>
>
> Bill and all others who might be interested:
>
> Following is a copy of my earlier post on the VBS_KakWorm.A-M
> virus{HYPERLINK "glossary.asp" \l "solution"} that has affected some of the
> listmember's PC's.
>
> Much of the information in this post was taken from the Trend Micro site - a
> great reference site for all PC viruses, as well as a source for a free
> online virus checker. You can check out the virus information at the Trend
> Micro site at:
>
> http://www.antivirus.com/vinfo/
>
> The Trend Micro online virus checker (called Housecall) is available at:
>
> http://housecall.antivirus.com/housecall/start_corp.asp
>
> Following the repost of my original message below I have also included the
> complete set of instructions from the Trend Micro site for ridding your PC
> of the VBS_KakWorm.A-M virus{HYPERLINK "glossary.asp" \l "solution"}. THIS
> PROCEDURE IS NOT FOR THE FAINT OF HEART OR FOR THE INEXPERIENCED. Please
> read the cautionary note carefully before using this procedure!
>
> REPOST OF ORIGINAL MESSAGE ON THE VBS_KakWorm.A-M virus{HYPERLINK
> "glossary.asp" \l "solution"}:
> _______________
>
> From: Wes Neuenschwander <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: Viruses on the List
> Date sent: Fri, 26 May 2000 08:33:38 -8
>
> Follow-up to my previous post:
>
> I have some additional information on the virus that has been reported to
> have been transmitted from email from the list.
>
> The virus name is VBS_KakWorm.A-M. It works by inserting itself into the
> message body (or, in one variant, the signature line) of messages sent from
> Outlook Express. It is activated simply by VIEWING THE MESSAGE IN THE
> PREVIEW PANE OF OUTLOOK EXPRESS. Please note the last two items carefully:
> This virus DOES NOT REQUIRE AN EMAIL ATTACHMENT TO PROPAGATE and DOES NOT
> REQUIRE YOU TO DO ANYTHING OTHER THAN LOOK AT THE MESSAGE TO INFECT YOUR
> COMPUTER! As such, this is a particularly insidious virus which has the
> potential to spread rapidly, especially through an email list.
>
> More information on this (and other) viruses is available at:
>
> http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_KAKWO
> RM.A-M
>
> (You may have to re-enter the name VBS_KAKWORM.A-M in the Search Again box)
>
> Fortunately, it's not particularly destructive, mainly just annoying
> (displaying messages and possibly shutting down your computer).
> Nevertheless, it's imcumbent on all of us to take the time to implement
> precautions to insure that we don't continue propogating this virus!
>
> What you can do:
>
> 1) Install and regularly run an effective virus checking program. McAfee,
> Norton and several other companies provide good virus protection software at
> a reasonable price. Be sure you regularly update the "virus definition
> files" to ensure your software can recognize and deal with the most recent
> versions of these "computer plagues".
>
> Alternatively, use one of the free online virus scanning programs, such as
> Housecall from Trend Micro (http://housecall.antivirus.com/).
>
> 2) Get the latest updates for your Outlook Express (or Outlook) and Internet
> Explorer programs. Microsoft regularly issues updates for these (and other)
> products designed to prevent viruses and other security problems from
> spreading. Just click on the Help button and select Online Support to go to
> the Microsoft updates page(s) on the web. Or - better yet - install and use
> Live Update (if you have this feature available) to be informed
> automatically of security fixes and other updates for your MS products.
>
> 3) Send all messages using the Plain Text mode rather than Rich Text or HTML
> or other format embedded modes. This particular virus (and others like it)
> exploit the built-in programming capabilities of the HTML scripting language
> in Outlook. Sending your messages using Plain Text mode will prevent the
> spread of these types of viruses. (It will not prevent the spread of viruses
> included in attachments though; you will need to continue to use common
> sense and not run attachments of uncertain pedigree sent via email.)
>
> To send an email message as plain text, just click on the Format button on
> the message toolbar and select Plain Text.
>
> To configure Outlook Express to send emails as plain text by default, go to
> the Outlook Express toolbar and select Tools/Options/Send and select Plain
> Text under the Mail Sending Format section.
>
> As I've said before, Rich Text/HTML messages are not appropriate for the
> list in any case, since not all email clients can read them properly. Couple
> that with the substantial - and growing - risk of spreading destructive
> viruses via HTML and Rich Text/HTML mode becomes downright unsociable.
> Expect to get a little "reminder" email from me if we continue to see HTML
> postings to the list!
>
> And please, continue to email me directly (including a copy of the offending
> email) if you receive suspect email from the list. Please be sure to include
> all the original email header information (original poster, date/time, etc.)
> to assist in tracking the source.
>
> My email address is: [EMAIL PROTECTED]
>
> Be sure to clearly identify the email as being Waflyfishers List Virus
> Related Email, so I don't accidentally infect my PC while trying to address
> the problem!
>
> Many thanks to list member Bill Brown (and others) for providing much of the
> information above. And special thanks to Jim Medick for first bringing this
> problem to my attention several weeks ago. I'm sorry Jim that I didn't have
> enough information at that time to pursue it further.
>
> It's now up to us to clean up our machines and email practices and help
> stave off this growing - and potentially very destructive - problem.
>
> -Wes
>
> _______________
>
> END OF REPOST OF ORIGINAL MESSAGE ON THE VBS_KakWorm.A-M virus{HYPERLINK
> "glossary.asp" \l "solution"}
>
> **************
>
> TREND MICRO PROCEDURE FOR ELIMINATING THE VBS_KakWorm.A-M VIRUS:
> Following is the procedure recomended by the Trend Micro site for ridding
> your PC of the VBS_KakWorm.A-M virus. (Note: These procedures should only be
> attempted by someone familiar with the workings of the Windows operating
> system and comfortable with the prospect of editing these critical Windows
> systems files. If you are not comfortable with the procedures described
> below - DON'T DO IT! Get someone competent to assist you in making these
> changes. FAILURE TO FOLLOW THESE INSTRUCTIONS CAREFULLY MAY RENDER YOUR
> COMPUTER INOPERABLE!!!)
> Once Infected DO NOT REBOOT or re-log your computer.
> Please delete the following:> 1. The lines in your Autoexec.bat @echo
> off>C:\Windows\STARTM~1\Programs\StartUp\ kak.hta del
> C:\Windows\STARTM~1\Programs\StartUp\kak.hta> 2. In the following folders C:\Windows\START MENU\Programs\StartUp\kak.hta
> C:\WINDOWS\KAK.HTA> 3. In your Registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
> Currentversion\Run\cAg0u = C:\WINDOWS\SYSTEM\.hta HKEY_CURRENT
> _USER\Identities\<USER�S identity\Software\Microsoft\Outlook Express\5.0\
> signatures\Default Signature = 00000000
>
>
>
> Wes Neuenschwander Seattle, WA [EMAIL PROTECTED]
>
Wes Neuenschwander Seattle, WA [EMAIL PROTECTED]
- Re: Viruses on the List (How to Fix) Wes Neuenschwander
- RE: Viruses on the List (How to Fix) Anthony Gades
- Wes Neuenschwander
