Corpora: Info on the Kak virus

Sat Mar 25 12:22:56 UTC 2000

Dear corporeal ones:

I've just done some quick hunting on the WWW, and it seems that our
friendly virus  WScript/worm is more annoying than malicious, and then
only after 5:00 pm on the first of any month.

Good news: It only affects you if you use MS Outlook Express 5.0, and a
patch is available from MS at:

http://www.microsoft.com/Security/Bulletins/ms99-032.asp

Apparently, if you or your system administrator has already applied the
patch, then you need not worry. And if you don't use Outlook Express
(I'm on Netscape, so presumeably I'm clean), then apparently there is no
problem.

>>From one of the quotes below:
It is written with JavaScript and it works on both English and French
versions of Windows 95/98 if Outlook Express 5 is installed.

If this is your case, then you've possibly been sending it out with all
your e-mails...

Following are partial extracts from two commercial sites (duly
referenced).

My apologies, but I couldn't find how to get rid of it other than the MS
download.

Take care and stay clean!
Gordon

--
Gordon Cain
Teacher of ESOL TAFE International Education Centre
Liverpool (Sydney) Australia
gpcain at rivernet.com.au

=====================================================================
>>From Symantec (Norton):

http://www.symantec.com/avcenter/venc/data/wscript.kakworm.html

Wscript.KakWorm

Detected as: Wscript.KakWorm
Aliases: VBS.Kak.Worm, Kagou-Anti-Krosoft Infection
Length: 4116 bytes
Likelihood: Common
Detected on: Dec 27, 1999 Region
Reported: Europe
Characteristics: 1st of any month at 5pm

Description

VBS.KakWorm is a worm, which spreads using Microsoft Outlook Express.
The worm attaches itself to all outgoing messages via the Signature
feature of Outlook Express. Signatures allow one to automatically append
information at the end of all outgoing messages.

The worm utilizes a known Microsoft Outlook Express security hole so
that a viral file is created on the system without having to run any
attachment. Simply reading the received email message will cause the
virus to be placed on the system.

Microsoft has patched this security hole already. The patch is available
from Microsoft's website. If you have a patched version of Outlook
Express, this worm will not affect them.

Technical Description

The worm appends itself to the end of legitimate outgoing messages as a
signature. When receiving the message, the worm will automatically
insert a copy of itself into the appropriate StartUp directory of the
Windows operating system for both English and French language versions.
The file created is named KAK.HTA.

HTA files are executed by current versions of Microsoft Internet
Explorer or Netscape Navigator.

The system must be rebooted for this file to be executed. Once executed,
the worm modifies the registry key:

HKCU/Identities/<Identity>/Software/Microsoft/Outlook/Express/5.0/signatures

in order to add its own signature file, which is the infected KAK.HTA
file. This causes all outgoing mail to be appended by the worm.

In addition, the registry key:

HKLM/Software/Microsoft/Windows/CurrentVersion/Run/cAgOu

is added which causes the worm to be executed each time the computer is
restarted.

Finally, if it is the first of the month and the hour is 17 (5:00pm),
the following message is displayed:

Kagou-Anti-Kro$oft says not today!

and Windows is sent the message to shutdown.

There is no other malicious payload.
=====================================================================

And from the people who make F-Prot (European apparently) at:

http://www.Europe.F-Secure.com/v-descs/kak.htm

F-Secure Virus Information Pages

NAME: Kak
ALIAS: Wscript.KakWorm, KakWorm

WScript.KakWorm is a worm that attaches itself to every email sent from
the infected system. It is written with JavaScript and it works on both
English and French versions of Windows 95/98 if Outlook Express 5 is
installed.

The worm uses a known security vulnerability in Outlook Express. When an
user receives an infected email message, the worm creates a file
"kak.hta" to the Windows Startup directory.

When the system is restarted, the worm activates. It replaces
"c:\autoexec.bat" with a batch file that deletes the worm from the
Startup directory. The original "autoexec.bat" is copied to "C:\AE.KAK".

It also modifies the message signature settings of Outlook Express 5.0
replacing the current signature with an infected file,
"C:\Windows\kak.htm".

Therefore every message sent with Outlook Express after that will
contain the worm.

Next it modifies the Windows registry in a such way that it will be
executed in every system startup. In first day of each month if the
number of hours is more than 17 (5:00pm), the worm will show an alert
box with the following text:

Kagou-Anit-Kro$oft say not today!

Then the worm causes the Windows to shut down.

[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure]