VBS_KAKWORM.A
Aliases:
KAKWORM.A-M, Kakworm.B, KAKWORM.A, Wscript.KakWorm, Kagou-Anti-Kros,
HTML_KAKWORM.A
Description:
VBS_KakWorm.A is a direct action worm that is compatible with the Windows
Scripting Host interpreter. You must have MS IE 5 or a browser that supports
Windows Scripting for this worm to execute. This worm modifies your default
signature in Outlook Express, embedding itself in the message. This worm is
compatible with both the English and French versions of Windows.
Solution:
Warning: Once infected DO NOT REBOOT or re-log into your computer. Please
remove the following:
1. ] The lines in your Autoexec.bat
@echo off>C:\Windows\STARTM~1\Programs\StartUp\
kak.hta del C:\Windows\STARTM~1\Programs\StartUp\kak.hta
Or
Delete the file AUTOEXEC.BAT and rename AE.KAK to
AUTOEXEC.BAT.
2] In the following folders delete KAK.HTA
C:\Windows\START MENU\Programs\StartUp\kak.hta
C:\WINDOWS\KAK.HTA
Also, remove the temporary .HTA file, which can be located at
C:\WINDOWS\SYSTEM directory.
3] In your Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
Currentversion\Run\cAg0u = C:\WINDOWS\SYSTEM\<variable>.hta
HKEY_CURRENT _USER\Identities\<<USER'S identity>\Software\Microsoft\
Outlook Express\5.0\
signatures\Default Signature = 00000000
In the wild: Yes
Trigger condition 1: Day = 1 and Hour = 17 (5:00 PM)
Payload 1: Display Message
Payload 2: Others (shuts down Windows)
Detected by pattern file#: 635
Detected by scan engine#: 2.088
Language:
English
Platform: Windows 98/2000
Encrypted: No
Size of virus: 4,116 Bytes
Details:
VBS_KakWorm.A utilizes the same security hole as VBS_BubbleBoy, wherein
simply viewing email through the preview pane triggers the worm's payload.
Users having the newest security patches for Outlook Express, and High
Security in their browser settings avoid this worm from triggering.
When this worm is received via email, it initially drops KAK.HTM into the
c:\windows directory and a temporary file with an HTA extension in the
c:\windows\system directory. It also drops KAK.HTA in your StartUp directory
(appropriately for either version of Windows).
Note: Windows NT and Windows systems whose default operating system
directory is not C:\WINDOWS are free from this virus because the virus
specifically searches for the exact directory C:\WINDOWS.
Changing the settings required to spam itself only commences when the
infected computer is rebooted. Additionally, AUTOEXEC.BAT file is also
modified to contain the following:
"@echo
off>C:\Windows\STARTM~1\Programs\StartUp\kak.hta
del
C:\Windows\STARTM~1\Programs\StartUp\kak.hta
This effectively removes traces of KAK.HTA in your StartUp directory and
prevents duplication of the initial "drop procedure." The worm now renames
the original AUTOEXEC file to AE.KAK.
The modified Windows Registry entries are:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
Currentversion\Run\cAg0u = C:\WINDOWS\SYSTEM\<temporary variable>.hta
HKEY_CURRENT _USER\Identities\<user's identity>\Software\Microsoft\
Outlook Express\5.0\signatures\Default Signature = 00000000
Microsoft Outlook Express is modified to have the default signature settings
to the KAK.HTM file.
The payload is triggered when the day date is 1 and the time is 1700 Hrs or
5:00 PM when it displays the following message:
"Kagou-Anti-Kro$oft says not today !" and then the worm calls the shutdown
function of Windows.
http://www.geocities.com/forum_hmif/download/kill_kak.zip
Good luck!!
<<== Say what? ==((TheTruthIsOutThere))== Say what? ==>>
IM�W� E-mail : [EMAIL PROTECTED]
[ 0 + ] Http://mypage.org/imawa
\ - / Http://imawa.freehomepage.com
iNfO &&&&&&&&&&&&&&&&&&&&&&.
=E=m=a=i=l=
Dvadasaram nahi tad jaraya,
varvarti cakram pari dyam rtasya
Rgveda I. 164.11
Putaran tahun terdiri dari 12 jari-jari (yakni bulan). Ia tak pernah rusak.
ia berputar di wilayah tengah (yakni langit).
Madhus ca madhavas ca vasanti-
kau-rtu sukras ca sucis ca
graismau-rtu. nabhas ca nabhasyas
ca varsikau-rtu. isas ca urjas ca
saradau-rtu. sahas ca sahasyas ca
haimantikau-rtu, tapas ca tapasyas
ca saisirau-rtu.
Yajurveda XIII. 25; XIV,6;
XIV. 5; XIV.16; XIV. 27; XV. 57
Dua belas bulan adalah sebagai berikut.
Nama-Teknik Nama Populer Musim Musim
(1-2).Madhu-Madhava Chaitra-Vaisakha Vasanta Semi
(3-4).Sukra-Suci Jyestha-Asadha Grisma Panas
(5-6).Nabhas-Nabhasya Sravana-Bhadrapada Varsa Hujan
(7-8).Isa-Urja Asvina-Kartika Sarad
Gugur
(9-10).Sahas-Sahasya Margasirsa-Pausa Hermana Dingin(Es)
(11-12) Tapas-Tapasya Magha-Phalguna Sisira Dingin
*Catatan
Artava = Pembagian Waktu
kala = 1 menit
kastha = 1/30 kala (2 detik)
vikala = 1/60 kala (1 detik)
hayana = siang atau malam
sama = dua pekan (1/2 bulan)
masa = bulan
rtu = 2 bulan
samvatsara = tahun
Atharvaveda III. 10.9
------------------------------------------------------------------------
Forum Komunikasi Penulis-Pembaca MIKRODATA (FKPPM)
Informasi : http:[EMAIL PROTECTED]
Arsip : http://www.mail-archive.com/forum%40mikrodata.co.id/
WAP : http://mikrodata.co.id/wap/index.wml
Milis ini menjadi kontribusi beberapa rubrik yang diasuh tim MIKRODATA.
Termasuk rubrik-rubrik yang ada di media lain.
Memakai, Menyebarluaskan, dan Memperbanyak software bajakan adalah
tindakan kriminal.
Please check with the latest AVP update before you ask about virus:
ftp://mikrodata.co.id/avirus_&_security/AntiViral_Toolkit_Pro/avp30.zip
