Wscript.KakWorm 


Detected as: Wscript.KakWorm 
Aliases: VBS.Kak.Worm, Kagou-Anti-Krosoft 
Infection Length: 4116 bytes 
Likelihood: Common 
Detected on: Dec 27, 1999 
Region Reported: Europe 
Characteristics:1st of any month at 5pm 

The worm utilizes a known Microsoft Outlook Express security hole so that a viral file is created on the system without having to run any attachment. Simply reading the received email message will cause the virus to be placed on the system.

Microsoft has patched this security hole already. The patch is available from Microsoft's website. If you have a patched version of Outlook Express, this worm will not affect them.

Technical Description
The worm appends itself to the end of legitimate outgoing messages as a signature. When receiving the message, the worm will automatically insert a copy of itself into the appropriate StartUp directory of the Windows operating system for both English and French language versions. The file created is named KAK.HTA.

HTA files are executed by current versions of Microsoft Internet Explorer or Netscape Navigator.

The system must be rebooted for this file to be executed. Once executed, the worm modifies the registry key:

HKCU/Identities//Software/Microsoft/ Outlook/Express/5.0/signatures
in order to add its own signature file, which is the infected KAK.HTA file. This causes all outgoing mail to be appended by the worm.

In addition, the registry key:
HKLM/Software/Microsoft/Windows/CurrentVersion/ Run/cAgOu
is added which causes the worm to be executed each time the computer is restarted.
Finally, if it is the first of the month and the hour is 17 (5:00pm), the following message is displayed:
Kagou-Anti-Kro$oft says not today!
and Windows is sent the message to shutdown.
There is no other malicious payload.