KAK Worm

Description | Technical Description | Removing the KAK Worm | Internet Explorer 5.01

Description:

VBS.KakWorm is a worm, which spreads using Microsoft Outlook Express. The worm attaches itself to all outgoing messages via the Signature feature of Outlook Express. Signatures allow one to automatically append information at the end of all outgoing messages.

The worm utilizes a known Microsoft Outlook Express security hole so that a viral file is created on the system without having to run any attachment. Simply reading the received email message will cause the virus to be placed on the system.

Microsoft has patched this security hole already. If you have a patched version of Outlook Express, this worm will not affect them.

Back to top

Technical Description:

The worm appends itself to the end of legitimate outgoing messages as a signature. When receiving the message, the worm will automatically insert a copy of itself into the appropriate StartUp directory of the Windows operating system for both English and French language versions. The file created is named KAK.HTA.

HTA files are executed by current versions of Microsoft Internet Explorer or Netscape Navigator.

The system must be rebooted for this file to be executed. Once executed, the worm modifies the registry key:

HKCU/Identities/<Identity>/Software/Microsoft/
Outlook/Express/5.0/signatures

in order to add its own signature file, which is the infected KAK.HTA file. This causes all outgoing mail to be appended by the worm.

In addition, the registry key:

HKLM/Software/Microsoft/Windows/CurrentVersion/
Run/cAgOu

is added which causes the worm to be executed each time the computer is restarted.

Finally, if it is the first of the month and the hour is 17 (5:00pm), the following message is displayed: 

Kagou-Anti-Kro$oft says not today!

and Windows is sent the message to shutdown.

There is no other malicious payload.

Back to top

Removing the KAK Worm:

To remove the KAK Worm, please follow these steps.

  1. Click on Start, then click on Run.
  2. Type regedit then click OK
  3. Once Registry Editor is open and active on your screen, go to the following key:
    HKEY_CURRENT_USER/Identities/<Identity>/Software/Microsoft/Outlook/Express/5.0/signatures
    By doing the following
  4. Double-click on HKEY_CURRENT_USER (window pane on left)
  5. Once expanded, double-click on Identities.
  6. Once expanded, double-click on <Identity> (this will be a binary number inside of "{}")
  7. Once expanded, double-click on Software
  8. Once expanded, double-click on Microsoft
  9. Once expanded, double-click on Outlook
  10. Once expanded, double-click on Express
  11. Once expanded, double-click on 5.0
  12. Once expanded, double-click on signatures
  13. You will see a folder like "00000000". Right-click on any folders you see under signatures and go to Delete.
  14. Close Registry Editor
  15. Open Registry Editor once again (Start/Run/regedit and OK)
  16. Once Registry Editor is open and active on your screen, go to the following key:
    HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run/cAgOu
    By doing the following
  17. Double-click on HKEY_LOCAL_MACHINE (window pane on left)
  18. Once expanded, double-click on Software
  19. Once expanded, double-click on Microsoft
  20. Once expanded, double-click on Windows
  21. Once expanded, double-click on CurrentVersion
  22. On the right pane you will see an "entry" that is called cAgOu. Right-click this key and go to Delete.
  23. Close Registry Editor.
  24. Click Start
  25. Go to Programs
  26. Go to StartUp
  27. Right click on "kak.hta" and go to Delete.
  28. Restart your computer by going to Start/Shutdown/Restart Your Computer

The virus should now be removed from your computer. To make sure you are not infected with any more other type of viruses again (or even this same virus) then I recommend downloading and installing the latest version of Microsoft Internet Explorer 5.01 (please read on ahead)

Back to top

Internet Explorer 5.01:

You can download and set up Microsoft Internet Explorer 5.01 from Microsoft's Web Site.

Go to this site and click on DOWNLOAD NOW and click "Run this program from its current location" and click OK.

Once the file opens, follow the instructions on the screen.

Back to top

If you have any further questions please don't hesitate to drop me a line. My e-mail address is ejf@asheville.com

Joe Ferguson
Last Revised 05/09/02 05:37		 Hit Counter