[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re:Virus Problem



PureBytes Links

Trading Reference Links

The following is from the Norton AntiVirius web site, you will find the
instructions for removal or the KAK virus.

VBS.KakWorm is a worm, which spreads using Microsoft Outlook Express.
                     The worm attaches itself to all outgoing messages via the
Signature feature of
                     Outlook Express. Signatures allow one to automatically
append information at
                     the end of all outgoing messages. 

                     The worm utilizes a known Microsoft Outlook Express
security hole so that a
                     viral file is created on the system without having to run
any attachment. Simply
                     reading the received email message will cause the virus to
be placed on the
                     system. 

                     Microsoft has patched this security hole already. If you
have a patched
                     version of Outlook Express, this worm will not affect them.


                     Technical Description 

                     The worm appends itself to the end of legitimate outgoing
messages as a
                     signature. When receiving the message, the worm will
automatically insert a
                     copy of itself into the appropriate StartUp directory of
the Windows
                     operating system for both English and French language
versions. The file
                     created is named KAK.HTA. 

                     HTA files are executed by current versions of Microsoft
Internet Explorer or
                     Netscape Navigator. 

                     The system must be rebooted for this file to be executed.
Once executed, the
                     worm modifies the registry key: 

                          HKCU/Identities/<Identity>/Software/Microsoft/
                          Outlook/Express/5.0/signatures 

                     in order to add its own signature file, which is the
infected KAK.HTA file.
                     This causes all outgoing mail to be appended by the worm. 

                     In addition, the registry key: 

                          HKLM/Software/Microsoft/Windows/CurrentVersion/
                          Run/cAgOu 

                     is added which causes the worm to be executed each time the
computer is
                     restarted. 

                     Finally, if it is the first of the month and the hour is 17
(5:00pm), the following
                     message is displayed: 

                          Kagou-Anti-Kro$oft says not today!

                     and Windows is sent the message to shutdown. 

                     There is no other malicious payload. 

____________________Reply Separator____________________
Subject: Virus Problem
Author: Prosper
Date:  02/16/2000 12:24 PM

I for one got a virus called KAK.hat it may have been passed on to others on
this forum as well. Look in your Windows Start Up folder, that is where it
was on my machine and btw Norton antivirus didn't catch it even after
repeated scans of the drive and the Startup folder.

Prosper