Dear corporeal ones:
I've just done some quick hunting on the WWW, and it seems that our
friendly virus WScript/worm is more annoying than malicious, and then
only after 5:00 pm on the first of any month.
Good news: It only affects you if you use MS Outlook Express 5.0, and a
patch is available from MS at:
Apparently, if you or your system administrator has already applied the
patch, then you need not worry. And if you don't use Outlook Express
(I'm on Netscape, so presumeably I'm clean), then apparently there is no
>From one of the quotes below:
versions of Windows 95/98 if Outlook Express 5 is installed.
If this is your case, then you've possibly been sending it out with all
Following are partial extracts from two commercial sites (duly
My apologies, but I couldn't find how to get rid of it other than the MS
Take care and stay clean!
-- Gordon Cain Teacher of ESOL TAFE International Education Centre Liverpool (Sydney) Australia email@example.com
===================================================================== >From Symantec (Norton):
Detected as: Wscript.KakWorm Aliases: VBS.Kak.Worm, Kagou-Anti-Krosoft Infection Length: 4116 bytes Likelihood: Common Detected on: Dec 27, 1999 Region Reported: Europe Characteristics: 1st of any month at 5pm
VBS.KakWorm is a worm, which spreads using Microsoft Outlook Express. The worm attaches itself to all outgoing messages via the Signature feature of Outlook Express. Signatures allow one to automatically append information at the end of all outgoing messages.
The worm utilizes a known Microsoft Outlook Express security hole so that a viral file is created on the system without having to run any attachment. Simply reading the received email message will cause the virus to be placed on the system.
Microsoft has patched this security hole already. The patch is available from Microsoft's website. If you have a patched version of Outlook Express, this worm will not affect them.
The worm appends itself to the end of legitimate outgoing messages as a signature. When receiving the message, the worm will automatically insert a copy of itself into the appropriate StartUp directory of the Windows operating system for both English and French language versions. The file created is named KAK.HTA.
HTA files are executed by current versions of Microsoft Internet Explorer or Netscape Navigator.
The system must be rebooted for this file to be executed. Once executed, the worm modifies the registry key:
in order to add its own signature file, which is the infected KAK.HTA file. This causes all outgoing mail to be appended by the worm.
In addition, the registry key:
is added which causes the worm to be executed each time the computer is restarted.
Finally, if it is the first of the month and the hour is 17 (5:00pm), the following message is displayed:
Kagou-Anti-Kro$oft says not today!
and Windows is sent the message to shutdown.
There is no other malicious payload. =====================================================================
And from the people who make F-Prot (European apparently) at:
F-Secure Virus Information Pages
NAME: Kak ALIAS: Wscript.KakWorm, KakWorm
The worm uses a known security vulnerability in Outlook Express. When an user receives an infected email message, the worm creates a file "kak.hta" to the Windows Startup directory.
When the system is restarted, the worm activates. It replaces "c:\autoexec.bat" with a batch file that deletes the worm from the Startup directory. The original "autoexec.bat" is copied to "C:\AE.KAK".
It also modifies the message signature settings of Outlook Express 5.0 replacing the current signature with an infected file, "C:\Windows\kak.htm".
Therefore every message sent with Outlook Express after that will contain the worm.
Next it modifies the Windows registry in a such way that it will be executed in every system startup. In first day of each month if the number of hours is more than 17 (5:00pm), the worm will show an alert box with the following text:
Kagou-Anit-Kro$oft say not today!
Then the worm causes the Windows to shut down.
[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure]
This archive was generated by hypermail 2b29 : Sat Mar 25 2000 - 12:20:06 MET