Kak.worm
 
Profile

To see removal step-by-step procedure click here

Virus Name
WScript/Kak.worm

Aliases
JS/Kak.worm, Kagou-Anti-Kro$oft, Kak, VBS.Kak.Worm, VBS/Kak, Wscript.Kak, Wscript.KakWorm

Variants
None

Date Added
12/31/99

Virus Information
 Discovery Date:12/31/99
 Origin:France
 Type:Virus
 SubType:VbScript
 Risk Assessment:Medium
 Minimum Dat:4051
 Minimum Engine:4.0.25

Virus Characteristics
This worm was first discovered by AVERT in December and added detection for it within 4051 DAT updates. Virus Patrol, a newsgroup scanning program from NAI, continues to identify occurrences of this Internet worm in newsgroup postings which is an indication that worm is continuing to spread. AVERT recommends adding ".HTA" to file extensions scanned for protection, and also ensure users have installed the security patch from Microsoft mentioned below.

Another dangerous aspect of this Internet worm is the ability to continuously re-infect yourself if the preview pane is enabled and you browse between folders specifically the "sent" folder which happens to contain the Internet worm within a message. This is another strong reason to update to the security patch, if not already.*

This is an Internet worm which uses ActiveX and Windows Scripting Host to propagate itself through email using MS Outlook. This worm consists of 3 components, an HTA file (HTML for Applications), a REG file (Registration Entries Update) and a BAT file (MS-DOS Batch).

The method used to integrate these components is to have first composed an email message in HTML which supports scripting. Using an ActiveX exploit known as "Scriptlet TypeLib", the script writes an HTA file to the local machine, typically in the startup folder. This will launch the code embedded in the HTA file at the next Windows startup. Microsoft has published a security update which addresses this ActiveX exploit and users are encouraged to update their systems with this component. With this update installed, users are questioned if they wish to run the ActiveX control which is marked "safe for scripting".

For more details on this vulnerability and to obtain a patch from Microsoft, see this link:
Microsoft Security Bulletin

For current security bulletins from Microsoft, see this link:
Current Bulletins.

Email messages written in HTML format will be coded with the Internet worm on infected systems due to the default signature modification on infected systems. The email application Outlook is a target of this Internet worm for propagation due to its support for HTML format messages. If an email message is coded with the WScript/Kak.worm code and it is allowed to run, files are written to the local machine in different locations-

c:\windows\kak.htm
c:\windows\system\(name).hta
c:\windows\Menu Démarrer\Programmes\Démarrage\kak.hta
c:\windows\Start Menu\Programs\StartUp\kak.hta

In the above list, "(name)" is a random 8 character name (e.g. 98278AE0.HTA). The path name of "Démarrage" gives us an indication that its origin is France with target installations of French Windows 9x operating systems; the secondary path targets English installations.

The AUTOEXEC.BAT file is modified to run the file KAK.HTA and then delete it from its folder location. The system registry is also modified when the script executes a shell registry update using regedit and the REG file written to the local system. The registry modification is this-

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
cAg0u = "C:\WINDOWS\SYSTEM\(name).hta"

The entry "(name)" is a random 8 character name (e.g. 98278AE0.HTA).

The email spreading method is possible by a registry modification which adds a signature to MS Outlook. The signature is set to include the file "C:\WINDOWS\kak.htm" and is set as the default signature such that the worm is spread on all outgoing email if the signature is included.

The contents of the HTM file are just a small file which consists of script to run the KAK.HTA file which already exists on the target machine. The code looks specifically for browser versions IE5 or NetScape Navigator higher than v4.0. Finally this worm also has a payload which is date activated.

On the 1st of the month, and beginning from 6PM local time, a message is displayed:

"Kagou-Anti-Kro$oft says not today!"

Symptoms
Recipients of messages which contain Wscript/Kak.worm may receive warning messages such as:
"Do you want to allow software such as ActiveX controls and plug-ins to run?"

Users should select "NO" to this question. Also another warning dialogue box could be displayed:
"Scripts are usually safe. Do you want to allow scripts to run?"

Users should select "NO" also to this question. Further indications of infection are the existence of files KAK.HTA and KAK.HTM as mentioned above, registry modifications as mentioned above, added or modified default signature as mentioned above.

On the 1st of the month, and beginning from 6PM local time, a message is displayed:

"Kagou-Anti-Kro$oft says not today!"

Another possible message is a fake error message with this description:

"S3 driver memory alloc failed"

After this, Windows is instructed to shutdown.

Method Of Infection
Opening email messages which are composed in HTML format and which contain the script will install the Internet worm on supported systems as mentioned above. The HTA file is written to the local machine as is the HTM file and both are created at system startup, and with each composition of HTML format email message.

Removal of this Internet worm consists of several steps:

* close email client(s)
* install the MS patch mentioned above
* remove KAK.HTA and/or KAK.HTM
* turn off "preview pane"
* delete the default email signature
* delete messages which are not needed which may contain the embedded script

Users may also benefit by removing Windows Scripting Host from their Windows environment. To do this in Windows 9x, go to "Control Panel" and choose "Add/Remove Programs". Click on the "Windows Setup" tab and double click on "Accessories". Scroll down to "Windows Script Host" and uncheck it and choose "OK". It may be necessary to reboot the system. For additional help or support, visit Microsoft's Support Site.

Removal Instructions
Use specified engine and DAT files for detection and removal. Delete files found to contain this detection.

Related Viruses
VBS/Bubbleboy