Here is an alert about another virus, this time a Word Macro virus.
- Jerry Berkman, WSSG
---------- Forwarded message ----------
Date: Sat, 27 May 2000 11:34:11 -0600 (MDT)
From: The SANS Institute <sans@sans.org>
To: Jerry Berkman <jerry@uclink.berkeley.edu>
Subject: SANS Alert on Resume and KAK Viruses
To: Jerry Berkman (SD131766)
From: Alan Paller for the SANS Alert Service
Subject: The Resume virus is lethal to computer files and the Kak virus
went to 50,000 people
News reports concerning the Resume virus are correct. It is a variant of
Melissa, with a more vicious payload. At the same time, Kak is beginning
to live up to its advance billing as the world's number 1 virus this
summer. Actions are needed now to stop both threats. Details below.
RESUME
********
The Resume virus (also known as Melissa.BG) is a very dangerous Word Macro
virus because it attempts to spread to everyone in available address books
and tries to delete all files in the following directories and drives:
C:\*.*
C:\My Documents\*.*
C:\WINDOWS\*.*
C:\WINDOWS\SYSTEM\*.*
C:\WINNT\*.*
C:\WINNT\SYSTEM32\*.*
A:\*.* [may cause an error message]
B:\*.* [may cause an error message]
and *.* in the root of drives D: thru Z:
* * * *
The email message in which it arrives looks like this:
Subject: Resume - Janet Simons
To: Director of Sales/Marketing,
Attached is my resume with a list of references contained within.
Please feel free to call or email me if you have any further questions
regarding my experience. I am looking forward to hearing from you.
Sincerely,
Janet Simons.
"Explorer.doc"
* * * * * * * *
Actions Required
The correct action is to ensure no one opens the attachment and, better,
if you have the skills, to set up email filters that stop any offending
messages. Tell people to deactivate their executive summary feature in
Microsoft Outlook, and only then delete the e-mail without opening.
Valuable data from the top virus vendors (those involved in maintaining
the Information Security DEW Line [Digital Early Warning Line]):
Norton Anti Virus: http://vil.nai.com/villib/dispvirus.asp?virus_k=98661
Symantec: http://www.symantec.com/avcenter/venc/data/w97m.melissa.bg.html
Sadly, Resume defense is not the only action needed right now.
KAK
***
Fifty thousand systems received the KAK virus on May 24.
See:
http://www.msnbc.com/news/412717.asp
The story, in brief, is that 50,000 clients of Shoppingplanet.com received
an infected email newsletter (not an attachment) and those who previewed
or read the email in Outlook Express almost certainly became infected.
The MSNBC reporter goes on to say:
"Kak is one of the first of a new breed of viruses that can infect users
simply when they read an e-mail, or even by previewing an e-mail
using Microsoft's Outlook Express - opening an attached file is not
required. After infection, the virus sends a copy of itself with every
message the victim sends. The virus payload, however, is not malicious. It
does not attempt to delete any files."
If you have not made sure every PC in your organization has corrected the
Microsoft flaw, see the May 10 Alert:
http://www.sans.org/newlook/alerts/virus.htm
The fix takes less than 5 minutes!
When someone combines the vicious actions of Resume with the delivery
system of KAK, you'll be very happy you made the fix.
AP
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the Micronet Web site at <URL:http://wss-www.berkeley.edu/micronet/>.
This archive was generated by hypermail 2b29 : Sat May 27 2000 - 18:09:53 PDT