JS/Kak@M is a Medium risk Virus

This worm was first discovered by AVERT in October 1999 and added detection for it within 4051 DAT updates. Virus Patrol, a newsgroup scanning program from NAI, continues to identify occurrences of this Internet worm in newsgroup postings which is an indication that worm is continuing to spread. AVERT recommends adding ".HT?" to file extensions scanned for protection, and also ensure users have installed the security patch from Microsoft mentioned below. Another dangerous aspect of this Internet worm is the ability to continuously re-infect yourself if the preview pane is enabled and you browse between folders specifically the "sent" folder which happens to contain the Internet worm within a message. This is another strong reason to update to the security patch, if not already.*

This is an Internet worm which uses JavaScript and an ActiveX control, called "Scriptlet Typelib", to propagate itself through email using MS Outlook Express. This worm consists of 3 components, an HTA file (HTML Application), a REG file (Registration Entries Update) and a BAT file (MS-DOS Batch).

When an e-mail or newsgroup message infected by this worm is opened by a reader which supports Javascript in HTML, the script checks to see if MS Internet Explorer 5 or higher is installed. If it is, using an ActiveX exploit known as "Scriptlet TypeLib", the script writes the KAK.HTA file to the Startup folder of the local machine. This will launch the code embedded in the HTA file at the next Windows startup. Microsoft has published a security update which addresses this ActiveX exploit and users are encouraged to update their systems with this component. With this update installed, users are questioned if they wish to run the ActiveX control which "might be unsafe".

For more details on this vulnerability and to obtain a patch from Microsoft, see this link: Microsoft Security Bulletin

For current security bulletins from Microsoft, see this link: Current Bulletins.

Email messages written in HTML format will be coded with the Internet worm on infected systems due to the default signature modification on infected systems. The email application Outlook is a target of this Internet worm for propagation due to its support for HTML format messages. If an email message is coded with the worm code and it is allowed to run, files are written to the local machine in different locations-

c:\windows\kak.htm c:\windows\system\(name).hta

kak.hta is written to either folder: French Windows c:\windows\Menu D&#233marrer\Programmes\D&#2 33marrage English Windows c:\windows\Start Menu\Programs\StartUp In the above list, "(name)" is a seemingly random 8 character name (e.g. 98278AE0.HTA) however it is related directly to a registry entry.

This worm first copies the original AUTOEXEC.BAT file to AE.KAK. Then the AUTOEXEC.BAT file is modified to overwrite the file KAK.HTA and then delete it from the StartUp folder. The system registry is also modified when the script executes a shell registry update using regedit and the REG file written to the local system. The registry modification is this-

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cAg0u = "C:\WINDOWS\SYSTEM\(name).hta"

The entry "(name)" is an 8 character name (e.g. 98278AE0.HTA).

The email spreading method is possible by a registry modification which adds a signature to MS Outlook. The signature is set to include the file "C:\WINDOWS\kak.htm" and is set as the default signature such that the worm is spread on all outgoing email if the signature is included.

Finally this worm also has a payload which is date activated.

On the 1st of the month, and beginning from 6PM local time, a message is displayed:

"Kagou-Anti-Kro$oft says not today!"

Indications Of Infection Recipients of messages which contain Wscript/Kak.worm may receive warning messages such as: "Do you want to allow software such as ActiveX controls and plug-ins to run?"

Users should select "NO" to this question. Also another warning dialogue box could be displayed: "Scripts are usually safe. Do you want to allow scripts to run?"

Users should select "NO" also to this question. Further indications of infection are the existence of files KAK.HTA and KAK.HTM as mentioned above, registry modifications as mentioned above, added or modified default signature as mentioned above.

On the 1st of the month, and beginning from 6PM local time, a message is displayed:

"Kagou-Anti-Kro$oft says not today!"

Another possible message is a fake error message with this description:

"S3 driver memory alloc failed"

After this, Windows is instructed to shutdown.

Method Of Infection Opening email messages which are composed in HTML format and which contain the script will install the Internet worm on supported systems as mentioned above. The HTA file is written to the local machine as is the HTM file and both are created at system startup, and with each composition of HTML format email message.

Removal of this Internet worm consists of several steps:

* close email client(s) * install the MS patch mentioned above * remove KAK.HTA and/or KAK.HTM * turn off "preview pane"(optional) * delete the default email signature setting (Tools/Options/Signature) * delete messages which are not needed which may contain the embedded script

Users may also benefit by removing Windows Scripting Host from their Windows environment. To do this in Windows 9x, go to "Control Panel" and choose "Add/Remove Programs". Click on the "Windows Setup" tab and double click on "Accessories". Scroll down to "Windows Script Host" and uncheck it and choose "OK". It may be necessary to reboot the system. For additional help or support, visit Microsoft's Support Site.

Users may also want to disable "Active Scripting" in the "Restricted Sites" zone and set E-Mail to run in the "Restricted Sites" zone. To do this:

-open Internet Explorer -choose the Tools menu -choose Internet Options -click the Security tab -click the Restricted Sites icon -click "Custom Level" -scroll down to "Active Scripting" and set it to Disable or Prompt -Click OK -open Outlook -choose the Tools menu -choose Options -click the Security Tab -In the "Security Zones" section, choose the "Restricted Sites" zone

Removal Instructions Use specified engine and DAT files for detection and removal.

Removal of this Internet worm consists of several steps:

* close email client(s) * install the MS patch mentioned above * remove the .HTA and/or .HTML files associated with this threat * turn off 'preview pane' (optional) * delete the default email signature setting (Tools/Options/Signature) * delete messages which are not needed which may contain the embedded script

Users may also benefit by removing Windows Scripting Host from their Windows environment. To do this in Windows 9x, go to 'Control Panel' and choose 'Add/Remove Programs'. Click on the 'Windows Setup' tab and double click on 'Accessories'. Scroll down to 'Windows Script Host' and uncheck it and choose 'OK'. It may be necessary to reboot the system. For additional help or support, visit Microsoft's Support Site.

Users may also want to disable 'Active Scripting' in the 'Restricted Sites' zone and set E-Mail to run in the 'Restricted Sites' zone. To do this:

-open Internet Explorer -choose the Tools menu -choose Internet Options -click the Security tab -click the Restricted Sites icon -click 'Custom Level' -scroll down to 'Active Scripting' and set it to Disable or Prompt -Click OK -open Outlook -choose the Tools menu -choose Options -click the Security Tab -In the 'Security Zones' section, choose the 'Restricted Sites' zone

AVERT Recommended Updates: Note- Microsoft has released an update for * Outlook to protect against "Malformed E-mail MIME Header" vulnerability at this link

* Outlook as an email attachment security update

* Exchange 5.5 as a post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link. Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

Virus Information Discovery Date: 10/22/99 Origin: New Caledonia Type: Virus SubType: VBScript worm Risk Assessment: Medium

It doesn't do diddly if you don't do something really idiotic such as copy the text, paste it into Notepad and save it as .html, then double click on it. There are people who are stupid enough to do this, though. Trust me on that. I'm not admitting anything - just take my word for it. We are out there. I mean they are out there.

Joe, my policy with unexpected attachments from people I trust is to get confirmation from the person in question that they intended to send me something before opening.

Jon

The problem is, Outlook interprets the infected e-mail as HTML, and perhaps the antivirus program doesn't know it will be opened that way.

InnoculateIt does NOT find the worm in my e-mail program's file. If I copy the worm into text and save it as HTML, it does detect it. I suspect if I saved it as a .txt file, InnoculateIt wouldn't notice. I don't think the antivirus stuff looks for the nasty script in just any file - I think it looks for the nasty script in a specific format - indicating how it will be opened.

Could be wrong, though.

• Always use antivirus software, and download updates to your antivirus program at least once a month.
• If you use Windows, visit http://windowsupdate.microsoft.com/ at least once a month and download any critical "product updates" that are suggested.
• Be Particularly Cautious With E-Mail
  • Don't Trust E-Mail Attachments. Files that end with the *.exe extension are the ones most likely to cause problems, so I'd suggest that you never send and never open *.exe programs that come by e-mail.
    When I got home from vacation last week, there were 384 e-mail messages waiting for me, and my e-mail got a bit cranky about downloading it all. Several people sent me the same JPG (picture) of a ballot - it was cute (and safe) - but maybe it would have been better if they had sent me a link to a site on the Web where I could see it. Somebody sent me a ballot thing that had an EXE extension, and I deleted that message and attachment without taking a look. Be very careful about e-mail attachments, and open them only if you are quite sure they are safe - the worst viruses can come to you from your best friends, who have no idea they're sending something bad to you.
    If you do have good reason to send an attachment, make sure your accompanying message and message title say something specific, something that could only come from you.
  • Keep your e-mail security settings high. E-mail worms like KAK can come as part of the body of an e-mail message, not necessarily as an attachment. If you even view an infected message as an HTML document (instead of text) you can be infected.
    If you use Outlook Express, go to Tools and select Options, and then go to the "security" tab and be sure Outlook is set to the Restricted Sites zone.
• If you alert others about viruses, be sure you're sending valid information, not a hoax. Check out the information at a reputable antivirus site like McAfee or Symantec before forwarding virus alerts.
• Don't get paranoid about viruses, but do use common sense.

Subject = A great Shockwave flash movie Body = Check out this new flash movie that I downloaded just now ... It's Great Bye Attachment = creative.exe

This bugger replicates onto your c drive and reaaranges your jpeg and mp3 files. It then takes your address book and sends itself to all as if it were you!

I found this particularly disturbing...

I still have an e-mail with the kak worm in it, and my virus detection program (updated last on Nov 23) does not detect it. It did detect the virus once it had been activated and created the files it's known to create. The anti-virus detected those files, not the Active-X script in the e-mail that creates them.

I can certainly empathise with you, Joe, about the stream of E-mails from unconfirmed sources. Mine come mostly from well-meaning nephews and nieces, and are informative only so far as that they often provide me with the E-mail addys of other members of my rather large (and still expanding) extended family. They will prove useful at least for one thing - my Christmas Card bill wont be as big this year!

Having said that, in the 2 odd years since I have been online, I have only once received a virus through E-mail (touch wood!). It costs nothing, however, to put a wee tick in the box that says 'Yes I would like to receive periodic E-mails....', from your anti virus supplier.

Zone Alarm Pro quarantines all attachments that you programme it to recognise, and can therefore save much weeping and gnashing of teeth.

B.

mcmoo

I wouldn't normally get into this kind of thing, knowing that there must be millions of little virus alerts going around, however I did get an E-mail today from Norton, warning about a wee virus that's going around.

Here's a link to their customer services page.

Norton AntiVirus Let's be careful out there.

B.