Lyrics & Knowledge Personal Pages Record Shop Auction Links Radio & Media Kids Membership Help
The Mudcat Cafesj



User Name Thread Name Subject Posted
bobbi BS: Virus Alert (continued) (47) RE: BS: Virus Alert (continued) 24 Jul 01

About the VBS.KAKWorm The Wscript KAK Worm is a worm/virus that attacks systems using Outlook Express. It uses a known security vulnerability to attach itself to every email sent from an infected system. It is written with Javascript and it attacks both the English and French versions of Windows 95/98, if Outlook Express 5 is installed. Then what makes this worm unique is its ability to infect a system by someone simply reading or previewing an email message. The worm hides in the HTML of the email itself. When the message is previewed or opened by the recipient, the worm automatically takes control and infects the computer. If neither Outlook Express nor MS Internet Explorer 5.0 are installed, the worm is not able to infect the machine. The worm has another potential side effect as well. On the 1st day of any month and the hour is 5:00pm, the following message is displayed and Windows is sent a command to shutdown. You may also see a "Driver Memory Error" occur when starting Windows. What The Worm Does Upon infection, the worm places a file called KAK.HTM in your C:\Windows directory and a temporary file with an .HTA extension in your C:\Windows \SYSTEM directory. It also places a file called KAK.HTA in your Startup directory. Then the worm adds the following lines into your AUTOEXEC.BAT file and renames the original autoexec file to AE.KAK. @echo off>C:\Windows\STARTM~1\Programs\StartUp\kak.hta del C:\Windows\STARTM~1\Programs\StartUp\kak.hta Next the worm adds the following changes into the Windows Registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \Currentversion\Run\cAg0u This cAg0u file points to the temporary .HTA file dropped into the Windows\System directory earlier. The worm also adds the following line into the Windows Registry. HKEY_CURRENT_USER\Identities\Software\Microsoft\Outlook Express\5.0\signatures\Default Signature This default signature points to the KAK.HTM file loaded into the Windows directory. Every email that is sent after infection has this KAK.HTM embedded in the HTML of the email which spreads the worm to others.

But again: You MUST have Outlook Express and MS Internet Explorer 5.0 installed... So in that regard, yes it is possible to get a virii/worm via script, but all these other factors must be in place as well.  


Back to the Main Forum Page

By clicking on the User Name, you will requery the forum for that user. You will see everything that he or she has posted with that Mudcat name.

By clicking on the Thread Name, you will be sent to the Forum on that thread as if you selected it from the main Mudcat Forum page.

By clicking on the Subject, you will also go to the thread as if you selected it from the original Forum page, but also go directly to that particular message.

By clicking on the Date (Posted), you will dig out every message posted that day.

Try it all, you will see.