Kaspersky Lab, a fast-growing international anti-virus software development company, alerts users about the epidemic of a new Internet worm I-Worm.Unicle.
This worm was discovered by Kaspersky Lab anti-virus experts over a month ago. At the same time detection for it was successfully added to AntiViral Toolkit Pro (AVP) anti-virus database. Regrettably, the majority of anti-virus vendors have only now started to produce patches for their products.
The distinctive characteristic of this worm is that it is able to spread via e-mail without using attachments. To pass the worm to a computer a user only needs to READ the infected message. Despite the fact that the "Unicle" worm is presently capable of operating with Chinese Windows only, we anticipate the emergence of its variation, which will be compliant with other Windows versions," says Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab. "We strongly recommend computer users update their anti-virus programs and urgently install a patch for MS Internet Explorer".
How to protect against "Unicle" worm?
Microsoft has released an update that eliminates security "Scriptlet.Typelib" vulnerability. We strongly recommend you visit http://support.microsoft.com/support/kb/articles/Q240/3/08.ASP and install this update.
If you do not use any HTML applications (HTA-files), there is another way to prevent infection by viruses of such type (the worms and viruses that use "Scriptlet.Typelib" security vulnerability). You need to remove file association for .HTA extension. To do this you have to follow these steps:
Double click "My Computer" icon on desktop.
In appeared window choose menu "View" "Options".
On "File Types" tab in "Registered file types" listbox select "HTML Applicaton" item.
Click "Remove" button and confirm action.
Close options dialog box. Technical Details
General Characteristics
This worm is able to work in the Chinese version of Windows only and spreads itself by sending infected e-mail messages. The worm has two components - script program and Windows PE EXE file. The first component (script) is sent in infected emails, affects the computer, then downloads and executes EXE component that completes the infection and spreads the worm copies further.
Installation
The worm arrives as a HTML message with a JavaScript program inside. That script is automatically processed on opening a message, and the worm code takes control.
Note: Internet browsers and Email clients have built-in security protections that prevent script programs embedded in the messages to access disk files and system resources (the worm needs both to spread itself - see below). To infect the system from email messages the worm needs to bypass these protections. To do that it uses the Internet Explorer 5 security breach - so-called "Scriptlet.Typelib vulnerability".
The worm also notifies its author (or possible host) about its presence on the infected machine. To do that it sends a message to one of the addresses:
leebill_001@yahoo.com leebill_002@yahoo.com leebill_023@yahoo.com
There are 23 possible addresses, and the worm randomly selects one of them.
Demo-versions of Kaspersky Lab AntiViral Toolkit Pro (AVP) able to combat against "Unicle" worm are available on Kaspersky Lab's Web site on http://www.kasperskylab.ru/eng/products/eval.asp.
You can purchase fully functional version of AntiViral Toolkit Pro online via the Internet on the following address: http://www.avpsa.co.za
Share
Kaspersky Lab
Kaspersky Lab Ltd. is a fast growing international privately owned anti-virus software development company with offices in Moscow (Russia), Cambridge (UK) and Johannesburg (South Africa). Founded in 1997 the company concentrates its efforts on the development of world-leading anti-virus technologies and software. Kaspersky Lab also provides free online security related internet information services. The company markets, distributes and supports its software and services in more than 40 countries worldwide.