Re: DBXtend extracted attachment query

From: David Purdy (Nospam_at_here.co.uk)
Date: 10/07/04 

Date: Thu, 7 Oct 2004 12:47:48 +0000 (UTC)

>I am using DBXtend v1.70 on a Win XP system, and upon extracting some
>messages (22 in total) from a folder, one of the extracted attachments has
>the following name (note the preceding spaces):
>
> ' WScript.KakWorm'

[cut]

By a process of elimination, the source message has been traced, attached.
It's from January 2001 (sent via my previous, Win98, PC), ironically copying
Symantec information about the virus to a colleague.

I cannot see anything obvious in the message that would cause this.
Perhaps it's a software design issue ?

Regards,

Dave.

From: [cut]
To: [cut]
Subject: E-mail virus details
Date: Tue, 23 Jan 2001 13:54:42 -0000
MIME-Version: 1.0
Content-Type: text/plain;
 charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165

David,

Some background details, for information.

Regards,

Dave

**********************************************************************
** **
** What's New in the NAV Virus Definitions Files WHATSNEW.TXT **
** **
** Symantec AntiVirus Research Center (SARC) January 18, 2001 **
** **
**********************************************************************

The ten most commonly reported viruses, worldwide:

    1 W32.Navidad
    2 W95.MTX
    3 W32.HLLW.QAZ.A
    4 VBS.Stages.A
    5 VBS.LoveLetter
    6 VBS.Network
    7 Wscript.KakWorm <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
    8 W32.Funlove.4099
    9 PrettyPark.Worm
   10 Happy99.Worm

**********************************************************************
                         Virus Information
**********************************************************************

Virus name: WScript.KakWorm
Aliases:
Infects:
Likelihood: Common
Length: 4116 bytes

Characteristics

Memory resident No Triggered event No
Size stealth No Encrypting No
Full stealth No Polymorphic No

Comments:
Please visit this website for a more detailed description.
http://www.sarc.com/avcenter/venc/data/wscript.kakworm.htm

http://www.sarc.com/avcenter/venc/data/wscript.kakworm.htm ...

VBS.KakWorm spreads using Microsoft Outlook Express. It attaches itself to
all
outgoing messages via the Signature feature of Outlook Express and Internet
Explorer newsgroup reader.

The worm utilizes a known Microsoft Outlook Express security hole so that a
viral
file is created on the system without having to run any attachment. Simply
reading
the received email message will cause the virus to be placed on the system.

Microsoft has patched this security hole. The patch is available from
Microsoft's
website. If you have a patched version of Outlook Express, this worm will
not work
automatically.

http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000020318071406 ...

Solution 1-- To remove this worm from within Windows, follow these
instructions:
1. Restart the computer in Safe mode.
2. Enable show all files.
3. Find and delete the kak.*, *.kak, and *.hta files.
4. Remove the worm entry from the Autoexec.bat file.
5. Remove the worm entry from the registry.
6. Uninstall the Windows Scripting host.
7. Delete infected files from Quarantine.
8. Clear deleted items folder.
9. Install the Microsoft patch.
10. Take action after installing the Microsoft patch.

Relevant Pages