HOME

What is WScript.KAKWorm?

KAK is a Win32-based e-mail worm. It alters a file that your computer uses whenever you send out an email message or newsgroup posting so that every message that goes out has the virus attached to it. It does not corrupt any data on your hard drive, however it is designed to shut your machine down on certain days which may inadvertantly result in a loss of data.

How do I get it?

KAK arrives as embeded script within an email message. Just opening the message infects your computer. You'll know you have it when you see strange messages start to pop-up such as:

"Do you want to allow software such as ActiveX controls and plug-ins to run?",
"Kagou-Anti-Kro$oft says not today!", and
"S3 driver memory alloc failed"

Your machine may also shut itself down on its own.

Who's at risk?

People running Microsoft Outlook or Outlook Express and Internet Explorer 5.0. Those running MacOS and WebTV are immune to the virus.
KAK SECURITY PATCH

What exactly does the virus do to my computer?

When you open an infected message the following lines are written to your Autoexec.bat file:

@echo off>c:\windows\STARTM~1\Programs\Startup\kak.hta
del c:\windows\STARTM~1\Programs\Startup\kak.hta

The following files are installed on your machine:

c:\windows\kak.htm
c:\windows\system\(#).hta
(this # is derived from the first eight characters of the subfolder located at:
c:\Windows\Application Data\Identities\)
c:\windows\Start Menu\Programs\StartUp\kak.hta

The follwing key is added to the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run:

cAg0u = "C:\WINDOWS\SYSTEM\(#).hta"
(this # is derived from the first eight characters of the subfolder located at:
c:\Windows\Application Data\Identities\)

The follwing key is added to the registry under
HKEY_CURRENT_USER\Identities\Software\Microsoft\Outlook Express\5.0\signatures\

00000000

HOME