Script Viruses Approaching: Internet-Worm KakWorm at the Top of the World's Virus Prevalence Charts

04 Jun 2000
Business News

Kaspersky Lab Int. offers a unique protection against script-viruses for FREE!

According to the virus prevalence table published in the June issue of the British "Virus Bulletin" magazine - one of the most authoritative publications for computer viruses countermeasures - for the first time history, a virus took first place in written script programming language, spreading via e-mail without using attached files. 17.9% of the virus incidents registered in April 2000 were caused by the Internet-worm "KakWorm," originally discovered at the end of the last year.

The main distinction of the "KakWorm"-style viruses is that they spread via e-mail without using attached files. The virus is hidden inside of the body of an infected message and it activates each time a user reads the message. For instance, if a user activates the preview panel in his e-mail program, then simply by using the cursor, a user can trigger the infected message without doing anything else.

Another feature of this type of viruses is that they are created using script programming languages (Java Script etc.). Script-programs (including script-viruses) are available in primary source code that enables virus writers to easily modify them and produce new virus variations. Many anti-virus vendors should analyse each of the viruses and issue a new update for their anti-virus software. During that period users stay unprotected.

"Nevertheless, the "KakWorm" itself is rather harmless.� Its clones could be of a great danger for computer users. We see they could be as destructive as the infamous "Chernobyl" virus. There are ways of making these viruses format disks or even crash micro chips," said Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab.

All known "KakWorm"-style viruses exploit a well-known security breach in MS Internet Explorer named "TypeLib Security Vulnerability." As soon as the breach was discovered, Microsoft released a special security patch available for free at the company's web site. However, the aforementioned figures from "Virus Bulletin" show that there are still many users who ignore this warning, leaving their computers vulnerable.� A rather illustrative example is the spreading of "KakWorm" by the ShoppingPlanet.com online store to more than 50,000 of its subscribers.

Another way to protect computers from "KakWorm"-style script-viruses is to use anti-virus software. The problem is that commonly used anti-virus scanners (on-demand scanners) are not effective, because once the computer is "cleaned," it could be easily damaged again just by reading the infected message. Background anti-virus monitors (on-access scanners) could be useful to detect the virus at the moment it writes its code onto the disk. However, they are not able to a prevent script-viruses activation, since the viruses are executed directly in operating memory without leaving any traces on the disk. Thus, a "KakWorm"-style script-virus can do anything (including backdoor activities, installation of third-party malware, etc.) until it reveals itself by placing data on the disk. Only at this moment does the anti-virus software detect it.

The described situation requires the use of a new type of anti-virus interceptors able to prevent script-viruses even in the system memory.

In the beginning of May Kaspersky Lab announced its new unique product AntiViral Toolkit Pro (AVP) Script Checker - a new generation of anti-virus software to combat script-viruses of this type.

This program acts as a filter between the script program (it doesn�t matter whether it is malicious or not) and the script programs processor that executes it. AVP Script Checker intercepts the script program in operating memory before it is executed by a processor and sends it to the on-access scanner AVP Monitor for checking. If the AVP Monitor detects any viruses, it blocks the program and alerts the user. If it doesn�t detect anything suspicious, it returns the program back to the AVP Script Checker. Then, the AVP Script Checker activates its powerful built-in heuristic analyser and checks for unknown viruses. If there is anything suspicious, it alerts the user and prevents the program from being executed. Only if the program has successfully passed all the tests are it permitted to be executed and pass on to the script programs processor.

The AVP Script Checker could also be used on any PC-compatible computers even if there is no AVP Monitor installed. In this case, all script-programs will be checked only by the built-in heuristic analyser. "It is very important to note that the AVP Script Checker is extremely useful not only against "KakWorm"-style script viruses, but against all types of script-viruses. During the recent "LoveLetter" epidemic the product successfully detected 100% of all variations of this virus without any additional updates to anti-virus database required," said Eugene Kaspersky.

Kaspersky Lab announces that the AVP Script Checker will be available FREE of charge until July 1. During this time, you can download the program from the Kaspersky Lab web site at www.kasperskylabs.com.

You can purchase AntiViral Toolkit Pro (AVP) family products online via the Internet. To find the nearest AVP reseller click here.