Again, this is only a concern if you use Microsoft Outlook Express, like I do. If you have AOL and do use thier browser this will not affect you. My apologies for any inconvenience, but it seems that this is the price we pay to be interconnected.
As many of you may or may not know the newsletter last week was infected with the above worm virus. It is a relatively new virus and was first identified at the end of last year. I run virus protection software on all my systems. However, my home notebook was having troubles downloading the viral definition updates as I only have a very slow dial up connection at home.
The double dilemma is that my email professional list server www.topica.com also did not have this worm in their screening system which is why it was sent. They have since updated their system to prevent this from happening and I have also updated my system and cleaned it since the worm was sent out.
The simplest way to remove the virus is to go to the following web site:
Click here and dowload the kak cleaner in the left column.
One can also use an antiviral program (Norton is my favorite) and make sure you have updated virus definitions that are no more than a few months old. Usually these are availalble at no charge on line.
VBS.KakWorm spreads ONLY using Microsoft Outlook Express.
It attaches itself to all outgoing messages via the Signature feature of Outlook Express and Internet Explorer newsgroup reader.
The worm utilizes a known Microsoft Outlook Express security hole so that a viral file is created on the system without having to run any attachment. Simply reading the received email message will cause the virus to be placed on the system.
Microsoft has patched this security hole. The patch is available from Microsoft's website. If you have a patched version of Outlook Express, this worm will not work automatically.
Also known as: VBS.Kak.Worm, Kagou-Anti-Krosoft
Infection length: 4116 Bytes
Virus definitions: December 30, 1999
Payload: Modifies the registry keys and shuts down Windows Payload trigger: First of any month at 5pm Degrades performance: Shuts Down Windows Size of Attachment: 4116 bytes Target of infection: Microsoft Outlook Express, Internet Explorer Usenet Newsreader
Technical description
The worm appends itself to the end of legitimate outgoing messages as a signature. When receiving the message, the worm will automatically insert a copy of itself into the appropriate StartUp directory of the Windows operating system for both English and French language versions. The file created is named KAK.HTA.
The worm utilizes a known Microsoft Outlook Express security hole, Scriptlet.Typelib, so that a viral file is created on the system without having to run any attachment. Simply reading the received email message will cause the virus to be placed on the system.
HTA files are executed by current versions of Microsoft Internet Explorer or Netscape Navigator. The system must be rebooted for this file to be executed. Once executed, the worm modifies the registry key:
HKCU/Identities/<Identity>/Software/ Microsoft/Outlook/Express/5.0/signatures
in order to add its own signature file, which is the infected KAK.HTA file. This causes all outgoing mail to be appended by the worm. In addition, the registry key:
HKLM/Software/Microsoft/Windows/ CurrentVersion/Run/cAgOu
is added which causes the worm to be executed each time the computer is restarted.
Finally, if it is the first of the month and the hour is 17 (5:00pm), the following message is displayed:
Kagou-Anti-Kro$oft says not today! and Windows is sent the message to shutdown.