PureBytes Links
Trading Reference Links
|
The following is from the Norton AntiVirius web site, you will find the
instructions for removal or the KAK virus.
VBS.KakWorm is a worm, which spreads using Microsoft Outlook Express.
The worm attaches itself to all outgoing messages via the
Signature feature of
Outlook Express. Signatures allow one to automatically
append information at
the end of all outgoing messages.
The worm utilizes a known Microsoft Outlook Express
security hole so that a
viral file is created on the system without having to run
any attachment. Simply
reading the received email message will cause the virus to
be placed on the
system.
Microsoft has patched this security hole already. If you
have a patched
version of Outlook Express, this worm will not affect them.
Technical Description
The worm appends itself to the end of legitimate outgoing
messages as a
signature. When receiving the message, the worm will
automatically insert a
copy of itself into the appropriate StartUp directory of
the Windows
operating system for both English and French language
versions. The file
created is named KAK.HTA.
HTA files are executed by current versions of Microsoft
Internet Explorer or
Netscape Navigator.
The system must be rebooted for this file to be executed.
Once executed, the
worm modifies the registry key:
HKCU/Identities/<Identity>/Software/Microsoft/
Outlook/Express/5.0/signatures
in order to add its own signature file, which is the
infected KAK.HTA file.
This causes all outgoing mail to be appended by the worm.
In addition, the registry key:
HKLM/Software/Microsoft/Windows/CurrentVersion/
Run/cAgOu
is added which causes the worm to be executed each time the
computer is
restarted.
Finally, if it is the first of the month and the hour is 17
(5:00pm), the following
message is displayed:
Kagou-Anti-Kro$oft says not today!
and Windows is sent the message to shutdown.
There is no other malicious payload.
____________________Reply Separator____________________
Subject: Virus Problem
Author: Prosper
Date: 02/16/2000 12:24 PM
I for one got a virus called KAK.hat it may have been passed on to others on
this forum as well. Look in your Windows Start Up folder, that is where it
was on my machine and btw Norton antivirus didn't catch it even after
repeated scans of the drive and the Startup folder.
Prosper
|