Say hello to Feliz.Trojan and Armagidon

CA spends weekend publicising low-grade viruses. Latest two viruses pack some punch but seem little more virulent than WScript.Kak, Trojan.Kill

It's already been a busy new year for virus watchers at Computer Associates, which used the weekend to issue the first virus warnings of the year 2000.

CA followed up two earlier warnings with two more on Sunday, issuing releases warning of Feliz.Trojan and Armagidon, a new Word macro virus. Both are potentially destructive. Feliz.Trojan can cause PCs not to boot, and Armagidon can cause documents to print with incorrect characters. Armagidon will also replace the Windows mouse pointer with a Red Cross symbol on May 8, which is Red Cross Day.

CA officials were not immediately available to assess the potential virulence of these new viruses. There was no mention of them on other virus sites. The other viruses CA issued warnings of were not considered very dangerous.

On Saturday, CA released an alert that warned users of Wscript.Kak, a worm that spreads via systems that use both Microsoft Windows 98 and the Microsoft Outlook Express 5.0 email client. A company official acknowledged that Wscript.Kak was not particularly virulent.

"From a risk perspective, this is fairly low. You have to send an email for it to spread," said Simon Perry, security business manager at CA in an interview with ZDNN on Saturday. "A self-propagating virus, like Melissa, will spread itself to several others automatically, and by the nature of the propagation you get a threat."

While the Melissa macro virus, which struck thousands of companies last March, required the user to open an attachment, once that had occurred the virus spread exponentially.

Like Melissa, Wscript.Kak does not appear to do any damage to systems, but merely spreads itself by attaching a copy of the virus onto every email that a user sends. That makes it a potential nuisance, at worst. The systems of corporate and home users that have turned off scripting -- a recommended strategy after the appearance of BubbleBoy two months ago -- will not be infected.

"Though this virus isn't Y2K-related, its discovery further confirms that hackers will exploit fears throughout the Y2K changeover," Perry had said in a press release issued Saturday. The statement seemed somewhat ironic, since the lack of a malicious payload or any mention of it by other anti-virus firms suggested that CA itself is capitalising on those fears.

Perry told ZDNN that a CA client found the worm, so that even though the virus has been classified as "low risk," the company believed publicising it was the best course.

Has potential to spread One aspect of the worm that could lead to its spreading quickly is that users don't have to click on an attachment to trigger the malicious code. If a user's Internet Explorer security settings are set to low or medium, the worm will infect the system without any user action, said the company.

The worm will then go on to change the signature settings of the user's mail to its own and then attach itself to every email message the user subsequently sends. Users who have the Windows Scripting Host option turned off will not be susceptible to this, or any, scripting virus.

After infecting the computer, the worm will shut down Windows. After the system reboots, the worm will be running in the background, waiting to infect every email the user sends out. Otherwise, CA doesn't report any malicious payload in the virus.

Trojan.Kill more destructive Earlier this week, CA reported another virus distributed through pirated copies of Windows 98 operating systems. The virus, known as Trojan.Kill, could wipe out information saved on computers when their dates roll past Jan. 1.

"Since Trojan.Kill is directly related to Y2K and carries a destructive payload, we're concerned about the damage it can do," said Perry.

"Obviously this virus is specifically targeted at illegal software, and Computer Associates strongly recommends that all software deployed either in the business environment or for home use is a legal copy," Perry said in a statement.

Spread through traditional means such as email, shared drives or floppy disks, Trojan.Kill hides behind a setup file called "Instalar.exe."

Reuters contributed to this report

Take me to the Virus Workshop