Wscript.KakWorm.B

This worm is written in Java Script language. For spreading the worm uses MS Outlook Express. The worm does not attach itself to messages as regular worm viruses do, but embeds its body into message as a script program.

The worm does work under English and French Windows versions only. It also does not work in case Windows is installed in directory other than C:WINDOWS .

The worm is fully compatible with MS Outlook Express only. In MS Outlook the worm is activated and infects the system, but it is not able to spread itself further because it targets MS Outlook Express only to spread its copies. Under other email systems the worm functionality depends on that system features.

While infecting the system the worm creates three additional files with its copy. First two of them are used to infect the system, the last one is used to spread worm code in infected emails:

1. KAK.HTA in Windows startup folder 2. random named .HTA file in Windows system folder 3. KAK.HTM file in Windows folder

The worm has a payload routine. On 1st of any month after 5:00pm it displays the message:

Kagou-Anti-Kro$oft says not today !

and forces Windows to exit after that.

Spreading

The worm arrives on a computer as email message in HTML format. The message body contain a script (Java script program) that is worm body itself. That program does not appears on screen because in HTML documents script programs are never displayed. As a result on opening an infected message (or on previewing) only the message body is displayed and no worm code is visible, but script is automatically executed by mailer - and the worm receives control.

The worm infects the system and spreads in three steps.

1. The worm creates its copy as a disk file in Windows startup (auto-start) folder.

2. When the worm is run from Windows startup folder it moves itself to Windows system directory, registers that new copy in system registry in auto-start section and removes the first copy from Windows startup folder.

3. The worm accesses MS Outlook Express registry section and registers there the worm copy as default signature. Outlook Express then will automatically send worm code in all messages that are sent.

The worm needs these steps because on first phase it is able to access disk files only, not system registry, so it needs to be run from a disk file (from Local Intranet zone ) to modify registry keys. The worm then deletes its copy from Windows startup folder to hide itself - all programs in there are visible in StartProgramsStartup Menu.

Spreading: step1 - being run from infected message

Being activated from infected message the worm gets access to computer's local disk. To avoid security protection (local disk access prohibited by default) the worm uses security breach named TypeLib Security Vulnerability - the worm creates an ActiveX object marked as safe for scripting and have ability to write files to disk. By using that ActiveX object the worm gets write access to the disk.

The worm then creates the KAK.HTA file and places its own code to there. That file is placed in Windows startup directory, and as a result it will be executed on next Windows startup.

Comment:

HTA file is HTML Application - file type that appears after installing Internet Explorer 5.0. HTA file contain regular HTML text with scripts inside but being executed it runs as standalone application - without Internet Explorer shell. It gives possibility to write powerful applications using regular scripts inside HTML.

While creating the KAK.HTA file the worm does not determine real path to Windows directory and always suppose that Windows is installed in the C:WINDOWS folder. Therefore the worm is unable to spread on system where Windows installed in different directory than C:WINDOWS . The worm tries two variants of Windows startup folder to place its copy to:

MENUD?~1PROGRA~1D?MARR~1 (default name in French Windows version) STARTM~1ProgramsStartUp (default name in English Windows version)

In case Windows startup directory has another name (in another Windows localization) the worm is unable to write its file to there and so is not able to spread further.

Spreading: step2 - being run from KAK.HTA

On next Windows restart the KAK.HTA file is activates from Windows startup directory. The script program inside that file creates the same HTA file in Windows system directory. That file has system dependent name (like 9A4ADF27.HTA ). The worm then modifies system registry to execute that file on each Windows startup. In case user changes default Outlook Express signature, the script in this file will restore worms components and registry settings, i.e. it will re-infect the system.

The KAK.HTA script then creates the KAK.HTM file that contain only worm code inside (that HTML page has no any text to display, but just pure worm script). This file is used later to infect messages.

At the last the script appends to the C:AUTOEXEC.BAT file commands that delete KAK.HTA from startup directory because it does not need anymore.

Spreading: step3 - sending infected messages

The same script ( KAK.HTA ) then modifies system registry. It creates new Outlook Express signature that refers to KAK.HTM file and sets this signature as default signature in Outlook Express. Starting from that moment each time Outlook Express composes a message, it will insert into the message the infected signature (the content of the KAK.HTM file).

The worm is able to spread with HTML messages only (and that is MS Outlook Express) default settings. The RTF and Plain text messages are not infected, and cannot be infected.

Protecting

The problem is that regular anti-virus scanning using on-demand scanners does not provide protection against such kind of worms. Each time infected message is opened in Outlook, the worm will appear again. Moreover, if Outlook Express configured to show preview pane it is enough just to select infected message in list - the worm will be activated.

1. To get protected it is possible to use on-access scanners to catch the worm at the moment it writes itself on disk. But on-access scanners are unable to prevent worm activation because scripts in email HTML messages are executes directly in the system memory, not being stored and run from a disk file.

The best way is to use anti-virus utilities that check script programs just before they are executed (see AVP Script Checker ). Such programs may prevent worm activation and system infection.

2. To write its own file to disk the worm uses Internet Explorer 5.0 security breach. Microsoft has released an update that eliminates security Scriptlet.Typelib vulnerability. We strongly recommend you visit http://support.microsoft.com/support/kb/articles/Q240/3/08.ASP and install this update.

3. If you do not plan to use any HTML applications (HTA-files) at your work, there is another way to prevent infection by viruses of such type (the worms and viruses that use HTA files to spread). It needs to remove file association for .HTA extension. To do this you have to follow several steps:

1. Double click My Computer icon on desktop. 2. In appeared window choose menu View -> Options... . 3. On File Types tab in Registered file types listbox select HTML Application item. 4. Click Remove button and confirm action. 5. Close options dialog box.