Y2K Virus Information

Even though most companies have gotten through the Millennium Bug, there are loads of new viruses out there just to mark the new millennium. So how do you know what one you have (if you get one) and what properties it displays? Here is a listing of those new viruses and their properties. For more information then check out the Computer Associates Website.

Felix.Trogan Virus

Computer Associates International, Inc. (CA) today warned computer users of a new Portuguese "Happy New Year" Trojan called "Feliz.Trojan." Trojans are destructive programs that disguise themselves as benign applications. Unlike viruses, Trojans do not replicate themselves, but they can be just as destructive.

CA provides detection for the Trojan, which when started, will immediately delete the following files:

system.dat
user.dat
c:\command.com
c:\windows\command\command.com
c:\windows\system.ini
c:\windows\win.ini
c:\windows\system.cb
c:\windows\win.com

After deleting these files it will display a bitmap of an ugly looking face entitled "FELIZ ANO NOVO!!!" ("Happy New Year" in English). When the user presses EXIT, the Trojan will display a number of message boxes in Portuguese and exit. The computer may not be able to boot following that.

The Windows installation directory ("C:\windows") is hard coded in the Trojan body and the Trojan will not cause any harm if Windows is installed in an other directory.

CA's InoculateIT signature 7.73 provides detection for Feliz.Trojan.

"This Trojan indicates that the threats from virus/Trojan writers continues," said Simon Perry, CA's security business manager. "As desired by our clients, CA will continue to provide up-to-date warnings as these threats emerge and strongly recommends that computer users maintain their antivirus solutions with the latest available signature files."

"ARMAGIDON" Virus

Computer Associates International, Inc. (CA) today warned computer users of a new Word macro virus called "Armagidon". CA provides detection for the virus, which infects Word documents.

"Armagidon" spreads through traditional means such as emails, shared drives, and floppy disks. Infected documents contain two macros: "Document_Open" and "Document_New", which are stored in the class module "ThisDocument". Infected templates contain an additional macro module containing eleven macros: Auto_Exec, Auto_Exit, ToolsOptions, ToolsMacro, FileTemplates, ViewVBCode, Organizer, ToolsRecordMacroStart, ToolsRecordMacroToggle, FileSave, and FilePrint.

When an infected document is opened, the code from the "Document_Open" macro is executed, enabling "Armagidon" to infect the normal template. The virus uses a temporary file called "armagidon.bas" to create the macro module "Armagidon". On May 8th, Red Cross Day, the virus replaces the Windows mouse pointer with the Red Cross symbol.

Upon execution of the "FilePrint" function, a more dangerous payload is triggered which replaces one non-standard ASCII character with another.

"As IT professionals around the world focus on their technology environments, CA will continue to notify our clients of new viruses as we detect them," said Simon Perry, CA's Security Business Manager. "We have received very positive feedback concerning this proactive approach and will continue to provide an unparalleled level of notification to help protect our clients' environments."

"WSCRIPT/KAK" Worm

Computer Associates International, Inc. (CA) today warned computer users of a new worm named "Wscript/Kak". CA provides detection for the worm, which infects Windows98 systems. Though "Wscript/Kak" has been reported in the wild, the worm requires a very specific environment to exist before infection and spread can occur.

"Wscript.Kak" spreads through e-mail using Outlook Express 5.0 on Windows98 systems only. The worm will infect Windows98 systems running Outlook Express 5.0 even if users don't open any attachments from the infected mail.

Once a user receives the infected HTML email, the hidden (embedded) script code will be executed without prompting the user if the Internet Explorer 5 security settings are set to medium or low. "Wscript.Kak" uses a known Internet Explorer 5 exploit to write its code in the Windows startup directory as "Kak.HTA". Additionally, it writes parts of its code to "Kak.HTM" and creates a copy of itself in the System directory, which will be registered under the following registry key:

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\cAgOu"

This causes repeated execution when Windows is started.

The worm then searches for installed "Identities" in Outlook Express 5.0 and changes their registry settings to (re)assign the default signature for composed mails to it's "C:\Windows\Kak.HTM". Only systems where the "User Identity" is not at the default setting will be affected. Once the signature settings have been changed, "Wscript.Kak" will attach it's Script code to every email sent by the user.

During execution the worm checks the system date and time. If the day comes first and the hour setting is greater than 17, an alert box with the following message will be displayed:

"Kagou-Anti-Kro$oft says not today !"

The worm then attempts to shut down Windows.

"Though this virus isn't Y2K-related, its discovery further confirms that hackers will exploit user fears throughout the Y2K changeover," said Simon Perry, security business manager at CA. "Since the user doesn't even have to open the attachment for the worm to be executed, this has the potential to spread rapidly and quietly. CA is urging both business and home users to be conscientious in deploying powerful and reliable antivirus software to protect their systems."

For the latest protection against these viruses and worms then head over to http://antivirus.cai.com .