VBS_KAKWORM.A-M information from Trend Micro[Subject Prev][Subject Next][Thread Prev][Thread Next]
- To: <seaint(--nospam--at)seaint.org>
- Subject: VBS_KAKWORM.A-M information from Trend Micro
- From: "Efren Allan Yango" <engreay(--nospam--at)pacific.net.ph>
- Date: Sat, 27 Jan 2001 21:19:12 -0800
Try this. Good luck to all
The following description of VBS_KAKWORM.A-M was sent to you by Efren Allan Yango (engreay(--nospam--at)pacific.net.ph) from www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_KAKWORM.A-M at 1/27/01 9:19:12 PM (U.S. Pacific Time)
Aliases: KAKWORM.A-M, VBS_KAKWORM.A, KAKWORM.A, Wscript.KakWorm, Kagou-Anti-Kros, HTML_KAKWORM.A
Risk rating: Low
Virus type: _vbscript_
VBS_KakWorm.A-M is a direct action worm, similar to VBS_KakWorm.A, that is compatible with the Windows Scripting Host interpreter. In the case VBS_KakWorm.A-M however, the viral code is embedded as text in the tainted email. You must have MS IE 5 or a browser that supports Windows Scripting for this worm to execute. VBS_KakWorm.A utilizes the same security hole as VBS_BubbleBoy, wherein simply viewing email through the preview pane triggers the worm. Users having the latest security patches for Outlook Express, and High Security settings in their browsers can avoid this worm from triggering.
Once Infected DO NOT REBOOT or re-log your computer.
Please delete the following:
If you need further assistance with this solution, please send an email to virus_doctor(--nospam--at)trendmicro.com.
- The lines in your Autoexec.bat
kak.hta del C:\Windows\STARTM~1\Programs\StartUp\kak.hta
- In the following folders
- In your Registry
Currentversion\Run\cAg0u = C:\WINDOWS\SYSTEM\
signatures\Default Signature = 00000000
In the wild:Yes
Trigger date 1: 1st Any Day
Trigger condition 1: Day = 1 AND Hour = 17 (5:00 PM)
Payload 1: Displays Message
Payload 2: Others (shuts down Windows)
Detected by pattern file#: 635
Detected by scan engine#: 2.082
Platform: Windows 98/2000
Size of virus: 4,116 Bytes
VBS_KakWorm.A-M utilizes the same security hole as VBS_BubbleBoy, wherein simply viewing email through the preview pane triggers the worm’s payload.
Users having the newest security patches for Outlook Express, and High Security in their browser settings avoid this worm from triggering.
When this worm is received via email, it initially drops KAK.HTM into the c:\windows directory and a temporary file with an HTA extension in the c:\windows\system directory. It also drops KAK.HTA in your StartUp directory (appropriately for either version of Windows).
Windows NT and Windows systems whose default operating system directory is not c:\windows are not infected by this worm since it specifically searches for the exact directory c:\windows.
Changing the settings required to spam itself only commences when the infected computer is rebooted. Additionally, AUTOEXEC.BAT file is also modified to contain the following:
This effectively removes traces of KAK.HTA in the StartUp directory and prevents duplication of the initial “drop procedure.”
The modified Windows Registry entries are:
Express\5.0\signatures\Default Signature = 00000000
Microsoft Outlook Express is modified to have the default signature settings to the KAK.HTM file.
The payload is triggered when the day date is 1 and the time is 1700 Hrs or 5:00 PM when it displays the following message:
“Kagou-Anti-Kro$oft says not today !” and then the worm calls the shutdown function of Windows.
Would you like to get FREE email alerts delivered to your inbox? www.antivirus.com Copyright 2001 Trend Micro, Inc. All rights reserved. Legal notice
- Prev by Subject: RE: Vapor Transmission and Reinforcing Corrosion
- Next by Subject: RE: VBS_KAKWORM.A-M information from Trend Micro
- Previous by thread: RE: Earth Quake in Pakistan: More than 30 die
- Next by thread: RE: VBS_KAKWORM.A-M information from Trend Micro