Re: virus - you've still got it! - please send in ASCII, not H.T.M.L.

["Michael Edwards" mje@xxxxxxxx]

                         Michael Edwards.

   I've been given a nasty scare by this virus and have been offline for about
10 hours, which I've been spending investigating it - more or less solidly and
continuously during those hours. I turned off my computer immediately on first
learning about it, booted up off DOS, and have been spending hours grubbing
around in the bowels of my hard disk within Norton Utilities. There's no doubt:
the e-mail in question does contain the Kak/Kagou worm.
   I read the e-mail, too, and theoretically I should therefore be infected -
but I don't seem to be. The tell-tale signs are files on the C: drive called
kak.hta and/or ae.kak. They may not appear until after the next time you
reboot. They might be hidden, so you have to look with more tools than just
"dir" at the DOS prompt. But I don't have these files, so it seems I'm not
infected, because these files are an essential step in the overall workings of
the worm.
   I suspect I didn't get infected because I'm using Windows 95 and Internet
Explorer 4.0 (not 5.0) and Outlook Express 4.72.2106.4, which I gather is an
older version. Apparently the virus runs only on more recent versions of all
those.
   If I'm wrong in any of my assumptions, I would be very glad to be corrected
by anyone who knows more about this than I do.

----------------------------------------
[Morris Krok:]

  I cannot understand why my e-mail should contain a virus.
----------------------------------------

   Nevertheless, it does; in fact, your message to which I'm replying has the
virus again. It's the Kak virus, and signs of its presence can be seen if you
look at the source code of your e-mail. (Search for the phrase
"Kagou-Anti-Kro$soft says not today".) You're probably not aware of it because
it doesn't seem to have immediate visible effects.
   List members need not worry about being infected by this letter, because I
*never* send e-mail in H.T.M.L. format - always plain ASCII text, which cannot
harbour a virus (it's just text, after all). And I would ask you, please,
Morris, to consider adjusting your e-mail program to send in ASCII text form
only. In fact, I think generally it would be good practice for all e-mail to be
sent in plain text only. Worth considering, perhaps? How do others on this
list feel about this? I'm getting quite paranoid about viruses and thinking
seriously about unsubscribing from all mailing lists, because they're just too
dangerous, even though I want to remain on and read the lists I'm interested in.

----------------------------------------
At the same time I sent the e-mail regarding Xywrite Revealed Third person, I
sent 5 other e-mails and no one has yet complained that there is a problem.
----------------------------------------

   I assume they haven't found out yet; and if they did find out, they may not
know that it came from your e-mails.
   Fortunately it doesn't appear to be one of the nastiest viruses, and its
signs are not immediately obvious. It will cause an infected computer to crash
after 6.00 p.m. on the first day of any month, though.

----------------------------------------
Futhermore the hundreds of e-mails that I have received over the past few years
have always been legible and have never distorted any of my files.
----------------------------------------

   The worm is probably not nearly as old as a few years. I think I read that
it appeared about a year ago. And not all viruses actually delete or mutilate
files - this one doesn't appear to. When I read your first e-mail, and this one
too, nothing happened, and everything behaved perfectly normally, even though
both e-mails are infected.

----------------------------------------
  The e-mail sent to the group was first processed by using XyWrite 111, then
it was inserted into Outlook Express as a text insert. Before typing this e-mail
directly into Outlook Express, I checked the previous e-mail to see if it has
any Xywrite formatting codes but it is entirely clear and as we all know xywrite
produces pure ascii text. It will be interesting to see if anti-vrus programs
can find fault with this e-mail.
----------------------------------------

   If you send your e-mail in H.T.M.L. format, none of that matters. It
doesn't matter how your text gets into the e-mail: whether you cut and paste it
there from somewhere else, type it in directly, or what. If you are infected
and you send it in H.T.M.L., the virus will be appended to the e-mail - you will
not necessarily be aware of anything out of the usual.

----------------------------------------
  I can assure the group I am not a prankster or malicious.
----------------------------------------

   I don't think anyone's suggesting that, and I certainly assume you were
unaware of the virus, and I'm not writing now with any intention of attributing
blame. I'm just saying this in case it's helpful to you or to any other list
members. But I wonder if you could please consider sending in plain ASCII text?
That way there should be no problems.
   Some people I know delete H.T.M.L. unread. At first I thought this was an
overreaction based on a personal preference for ASCII - but it didn't seem so
once I learned that H.T.M.L. e-mails can harbour viruses, even without
attachments being present, and plain text ones can't. I think that alone is a
very good reason for always sending e-mail in plain text format.

----------------------------------------
  Perhaps the reason I have never experienced any virus problems is because I
do not have any ant-virus programs on my PC. But I will nevertheless certainly
investigate the possibility that there are viruses on my machine, no matter how
benign.
----------------------------------------

   I don't have an antivirus program either, but I think I will have to get
one. Nevertheless, from poking around on my hard disk over recent hours, and
from stuff I've read about the virus, I'm sure I'm not infected (I'm extremely
cautious and wouldn't have booted up just now unless I felt sure of that), and
that it cannot spread (even if I were infected) by plain text e-mail anyway
(which this letter is), so no-one need worry about getting it from this letter.
   If I'm wrong in anything I say here, and someone knows more accurately
about this worm, could they please let me know? Thanks. But what I say seems
to be quite reliably so, based on what I've recently read about this worm.

             Regards,
             Michael Edwards.


P.S.
   If anyone's wondering who I am (and have forgotten the couple of much
earlier postings I made), I joined because I was interested in finding out about
XY-Write, and am still interested in buying it - but various things have come up
since I joined the list and I haven't got round to that yet, nor to contributing
to any discussion. But I couldn't resist chipping in about this virus.