================================================ Subject: Your weekly virus warning (yeah I fell behind) From: ]\\\\[][G}{T§TÖ®]v[ To: Date: Sun 20 May 2001 18:43:09 -0400 ================================================ Just a reminder... just finished helping a friend remove this one from their computer... it's one to keep a watch for, since most of the people here on the list do use Outlook Express, and Signature Lines... TAKEN FROM http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_KAKWORM.A VBS_KAKWORM.A Risk rating: MEDIUM RISK Destructive: N Aliases: KAKWORM.A-M, Kakworm.B, KAKWORM.A, Wscript.KakWorm, Kagou-Anti-Kros, HTML_KAKWORM.A Description: VBS_KakWorm.A is a direct action worm that is compatible with the Windows Scripting Host interpreter. You must have MS IE 5 or a browser that supports Windows Scripting for this worm to execute. This worm modifies your default signature in Outlook Express, embedding itself in the message. This worm is compatible with both the English and French versions of Windows. Solution: Warning: Once infected DO NOT REBOOT or re-log into your computer. 1. To delete and correct the registry entries created and modified by VBS_KAKWORM.A, please read the Readme file http://www.antivirus.com/vinfo/security/readme_kakworm.txt ) and run Trend's free tool Fix_Kak.Exe http://www.antivirus.com/vinfo/security/fix_kak.exe ). This tool does not remove the virus from your system. 2. To remove the virus, scan your system with Trend antivirus and delete all files detected as VBS_KAKWORM.A. To do this Trend customers must download the latest pattern file ( http://www.antivirus.com/download/pattern.asp ) and scan their system. Other email users may use Trend HouseCall http://housecall.antivirus.com/ ), a free online virus scanner. In the wild:Yes Trigger condition 1:Day = 1 and Hour = 17 (5:00 PM) Payload 1:Displays Message Payload 2:Others (shuts down Windows) Detected by pattern file#:635 Detected by scan engine#: 2.088 Language:English Platform:Windows Encrypted:No Size of virus:4,116 Bytes Details: VBS_KakWorm.A utilizes the same security hole as VBS_BubbleBoy, wherein simply viewing email through the preview pane triggers the worm's payload. Users having the newest security patches for Outlook Express, and High Security in their browser settings prevent this worm from triggering. When this worm is received via email, it initially drops KAK.HTM into the c:\windows directory and a temporary file with an HTA extension in the c:\windows\system directory. It also drops KAK.HTA in your StartUp directory (appropriately for either version of Windows). Note: Windows NT and Windows systems whose default operating system directory is not C:\WINDOWS are free from this virus because the virus specifically searches for the exact directory C:\WINDOWS. Changing the settings required to spam itself only commences when the infected computer is rebooted. Additionally, AUTOEXEC.BAT file is also modified to contain the following: > "@echo off>C:\Windows\STARTM~1\Programs\StartUp\kak.hta del C:\Windows\STARTM~1\Programs\StartUp\kak.hta This effectively removes traces of KAK.HTA in your StartUp directory and prevents duplication of the initial "drop procedure." The worm now renames the original AUTOEXEC file to AE.KAK. The modified Windows Registry entries are: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ Currentversion\Run\cAg0u = C:\WINDOWS\SYSTEM\.hta HKEY_CURRENT _USER\Identities\\Software\Microsoft\ Outlook Express\5.0\signatures\Default Signature = 00000000 Microsoft Outlook Express is modified to have the default signature settings to the KAK.HTM file. The payload is triggered when the day date is 1 and the time is 1700 Hrs or 5:00 PM when it displays the following message: "Kagou-Anti-Kro$oft says not today !" and then the worm calls the shutdown function of Windows. To unsubscribe or change your preferences for the Creed-Discuss list, visit: http://www.winduplist.com/ls/discuss/form.asp