Virus Database

WScript.KakWorm

Description WScript.KakWorm

This worm is written in the Java Script language, which, for spreading, uses MS Outlook Express. The worm does not attach itself to messages as regular worm viruses do, but embeds its body in a message as a script program.
The worm works on English and French Windows versions only. It also does not work in the case that Windows is installed in a directory other than "C:WINDOWS".
The worm is fully compatible with MS Outlook Express only. In MS Outlook, the worm is activated and infects the system, but it is not able to spread itself further, because it targets MS Outlook Express only to spread its copies. On other e-mail systems, the worm's functionality depends on that system's features.
While infecting the system, the worm creates three additional files with its copy. First, two of them are used to infect the system and the last one is used to spread the worm's code via infected e-mail:
1. KAK.HTA in Windows startup folder
2. random named .HTA file in Windows system folder
3. KAK.HTM file in Windows folder
The worm has a payload routine. On 1st of any month after 5:00 pm, it displays the following message:
Kagou-Anti-Kro$oft says not today !
forcing Windows to exit after that.
Spreading
The worm arrives on a computer as an e-mail message in HTML format. The message body contains a script (Java script program) that is the worm body itself. That program does not appear on the screen, because, in HTML documents, script programs are never displayed. As a result, upon opening an infected message (or upon previewing), only the message body is displayed and no worm code is visible, but the script is automatically executed by the mailer, and the worm receives control.
The worm infects the system and spreads in three steps.
1. The worm creates its copy as a disk file in a Windows startup (auto-start) folder.
2. When the worm is run from the Windows startup folder, it moves itself to the Windows system directory, registers that new copy in the system registry in the auto-start section and removes the first copy from the Windows startup folder.
3. The worm accesses the MS Outlook Express registry section and registers the worm copy as a default signature there. Outlook Express then will automatically send the worm's code via all messages that are sent.
The worm needs these steps, because in the first phase, it is able to access disk files only, not the system registry, so it needs to be run from a disk file (from "Local Intranet zone") to modify the registry keys. The worm then deletes its copy from the Windows startup folder to hide itself, and all programs in there are visible in the StartProgramsStartup Menu.
Spreading: step 1 - being run from an infected message
Upon activation from an infected message, the worm gains access to a computer's local disk. To avoid security protection (local disk access prohibited by default), the worm uses a security breach named "TypeLib Security Vulnerability." The worm creates an ActiveX object marked as safe for scripting and has the ability to write files to the disk. By using that ActiveX object, the worm obtains written access to the disk.
The worm then creates the KAK.HTA file and places its own code to there. That file is placed in the Windows startup directory, and as a result, it will be executed upon next Windows startup.
Comment:
A HTA file is a HTML Application - the file type that appears after installing
Internet Explorer 5.0. HTA files contain regular HTML text with scripts
inside, but upon being executed, it runs as a standalone application - without
the Internet Explorer shell. It provides the possibility of writing powerful
applications using regular scripts inside HTML.
While creating the KAK.HTA file, the worm does not determine a real path to the Windows directory and always supposes that Windows is installed in the "C:WINDOWS" folder. Therefore, the worm is unable to spread on a system where Windows has been installed in a different directory other than "C:WINDOWS". The worm tries two variations of the Windows startup folder to which to place its copy:
MENUDÉ~1PROGRA~1DÉMARR~1 (default name in French Windows version)
STARTM~1ProgramsStartUp (default name in English Windows version)
In the case that the Windows startup directory has another name (in another Windows localization), the worm is unable to write its file there and so is not able to spread further.
Spreading: step 2 - being run from KAK.HTA
Upon the following Windows restart, the "KAK.HTA" file is activated from the Windows startup directory. The script program inside that file creates the same HTA file in the Windows system directory. That file has a system-dependent name (like "9A4ADF27.HTA"). The worm then modifies the system registry to execute that file upon each Windows startup. In case a user changes the default Outlook Express signature, the script in this file will restore the worm's components and registry settings; i.e., it will re-infect the system.
The "KAK.HTA" script then creates the "KAK.HTM" file that contains only the worm's code inside (that HTML page doesn't have any text to display other than just the pure worm script). This file is used later to infect messages.
Finally, the script appends to the "C:AUTOEXEC.BAT" file commands that delete "KAK.HTA" from the startup directory, because it does not need them anymore.
Spreading: step 3 - sending infected messages
The same script ("KAK.HTA") then modifies the system registry. It creates a new Outlook Express signature that refers to the "KAK.HTM" file and sets this signature as the default signature in Outlook Express. Starting from that moment, each time Outlook Express composes a message, it will insert the infected signature into the message (the content of the "KAK.HTM" file).
The worm is able to spread only the via HTML-messages(and these are the MS Outlook Express) default settings. The RTF and "Plain text" messages are not infected and cannot be infected.
Protecting
The problem is that regular anti-virus scanning using on-demand scanners does not provide protection against this kind of worms. Each time an infected message is opened in Outlook, the worm will appear again. Moreover, if Outlook Express configures to show a preview pane, it is enough just to select the infected message from the list for the worm to be activated.
1. In order to protect yourself, it is possible to use on-access scanners to catch the worm at the moment it writes itself on the disk. But on-access scanners are unable to prevent the worm's activation, because scripts in e-mail HTML messages are executed directly in the system memory, not being stored and run from a disk file.
The best course of action is to use anti-virus utilities that check script programs just before they are executed (see "AVP Script Checker"). Such programs may prevent the worm's activation and system infection.
2. To write its own file to the disk, the worm uses an Internet Explorer 5.0 security breach. Microsoft has released an update that eliminates security "Scriptlet.Typelib" vulnerability. We strongly recommend you visit http://support.microsoft.com/support/kb/articles/Q240/3/08.ASP and install this update.
3. If you do not plan on using any HTML applications (HTA-files) at work, there is another way to prevent infection by viruses of this type (the worms and viruses that use HTA files to spread). It is necessary to remove the file association for the .HTA extension. To do this, you have to follow several steps:
1. Double click the "My Computer" icon on your desktop.
2. From the the window that appears, choose menu "View" -> "Optionsall".
3. In the "File Types" tab in the "Registered file types" listbox, select the "HTML Application" item.
4. Click the "Remove" button and confirm the action.
5. Close the options dialog box.

Check other viruses! Be aware! Use Antiviral Software

Euskara.811

Description Euskara.811

It is not a dangerous nonmemory resident parasitic virus. It searches for COM files, then writes itself to the end of the file. The virus leaves in the HMA the memory resident program that hooks INT 9 (keyboard) and depending on the keys that are pressed either manifests itself with some video effect, or decrypts and displays the message:
Milaka Urtez Eutsi Dugu Eta Milaka Urtez Eutsiko. Euskara, Jalgi Hadi Plazara.

EVC.161

Description EVC.161

It's a dangerous memory resident overwriting virus. It hooks INT 21h and overwrites all the files that are executed. It displays:
MaKe ViRii oUT T aSS

It contains the internal text string also:
EVC 1.0

Home