Return to index: [Subject] [Thread] [Date] [Author]

VBS_KAKWORM.A-M information from Trend Micro

[Subject Prev][Subject Next][Thread Prev][Thread Next]

Try this. Good luck to all

The following description of VBS_KAKWORM.A-M was sent to you by Efren Allan Yango (engreay(--nospam--at) from at 1/27/01 9:19:12 PM (U.S. Pacific Time)


Aliases: KAKWORM.A-M, VBS_KAKWORM.A, KAKWORM.A, Wscript.KakWorm, Kagou-Anti-Kros, HTML_KAKWORM.A
Risk rating: Low
Virus type: _vbscript_
Destructive: N


VBS_KakWorm.A-M is a direct action worm, similar to VBS_KakWorm.A, that is compatible with the Windows Scripting Host interpreter. In the case VBS_KakWorm.A-M however, the viral code is embedded as text in the tainted email. You must have MS IE 5 or a browser that supports Windows Scripting for this worm to execute. VBS_KakWorm.A utilizes the same security hole as VBS_BubbleBoy, wherein simply viewing email through the preview pane triggers the worm. Users having the latest security patches for Outlook Express, and High Security settings in their browsers can avoid this worm from triggering.


Once Infected DO NOT REBOOT or re-log your computer.

Please delete the following:

  1. The lines in your Autoexec.bat
    @echo off>C:\Windows\STARTM~1\Programs\StartUp\
    kak.hta del C:\Windows\STARTM~1\Programs\StartUp\kak.hta
  2. In the following folders
    C:\Windows\START MENU\Programs\StartUp\kak.hta
  3. In your Registry
    Currentversion\Run\cAg0u = C:\WINDOWS\SYSTEM\.hta
    HKEY_CURRENT _USER\Identities\\Software\Microsoft\Outlook Express\5.0\
    signatures\Default Signature = 00000000
If you need further assistance with this solution, please send an email to virus_doctor(--nospam--at)

Technical Details

In the wild:Yes
Trigger date 1: 1st Any Day
Trigger condition 1: Day = 1 AND Hour = 17 (5:00 PM)
Payload 1: Displays Message
Payload 2: Others (shuts down Windows)
Detected by pattern file#: 635
Detected by scan engine#: 2.082
Language: English
Platform: Windows 98/2000
Encrypted: No
Size of virus: 4,116 Bytes

VBS_KakWorm.A-M utilizes the same security hole as VBS_BubbleBoy, wherein simply viewing email through the preview pane triggers the worm’s payload.

Users having the newest security patches for Outlook Express, and High Security in their browser settings avoid this worm from triggering.

When this worm is received via email, it initially drops KAK.HTM into the c:\windows directory and a temporary file with an HTA extension in the c:\windows\system directory. It also drops KAK.HTA in your StartUp directory (appropriately for either version of Windows).

Windows NT and Windows systems whose default operating system directory is not c:\windows are not infected by this worm since it specifically searches for the exact directory c:\windows.

Changing the settings required to spam itself only commences when the infected computer is rebooted. Additionally, AUTOEXEC.BAT file is also modified to contain the following:


This effectively removes traces of KAK.HTA in the StartUp directory and prevents duplication of the initial “drop procedure.”

The modified Windows Registry entries are:

Windows\Currentversion\Run\cAg0u =

HKEY_CURRENT _USER\Identities\\Software\Microsoft\Outlook
Express\5.0\signatures\Default Signature = 00000000

Microsoft Outlook Express is modified to have the default signature settings to the KAK.HTM file.

The payload is triggered when the day date is 1 and the time is 1700 Hrs or 5:00 PM when it displays the following message:
“Kagou-Anti-Kro$oft says not today !” and then the worm calls the shutdown function of Windows.


Would you like to get FREE email alerts delivered to your inbox?  Copyright 2001 Trend Micro, Inc. All rights reserved. Legal notice