In-depth details of JS/Kak@M
This worm was first discovered by AVERT in October 1999 and added detection for it within 4051 DAT updates. Virus Patrol, a newsgroup scanning program from NAI, continues to identify occurrences of this Internet worm in newsgroup postings which is an indication that worm is continuing to spread. AVERT recommends adding ".HT?"
to file extensions scanned for protection, and also ensure users have installed the security patch from Microsoft mentioned below
Another dangerous aspect of this Internet worm is the ability to continuously re-infect unpatched systems if the preview pane is enabled and you browse messages, including ones in your own "Sent Items" folder, which contain this Internet worm. This is another strong reason to update to the security patch, if not already.*
For more details on this vulnerability and to obtain a patch from Microsoft, see this link:
Microsoft Security Bulletin
To obtain a patch from Microsoft, see this link:
For current security bulletins from Microsoft, see this link:
Email messages written in HTML format will be coded with the Internet worm on infected systems due to the default signature modification on infected systems. The email application Outlook is a target of this Internet worm for propagation due to its support for HTML format messages. If an email message is coded with the worm code and it is allowed to run, files are written to the local machine in different locations-
kak.hta is written to either folder:
In the above list, "(name)" is a seemingly random 8 character name (e.g. 98278AE0.HTA) however it is related directly to a registry entry.
This worm first copies the original AUTOEXEC.BAT file to AE.KAK. Then the AUTOEXEC.BAT file is modified to overwrite the file KAK.HTA and then delete it from the StartUp folder. The system registry is also modified when the script executes a shell registry update using regedit and the REG file written to the local system. The registry modification is this-
cAg0u = "C:\WINDOWS\SYSTEM\(name).hta"
The entry "(name)" is an 8 character name (e.g. 98278AE0.HTA).
The email spreading method is possible by a registry modification which adds a signature to MS Outlook. The signature is set to include the file "C:\WINDOWS\kak.htm" and is set as the default signature such that the worm is spread on all outgoing email if the signature is included.
Finally this worm also has a payload which is date activated.
On the 1st of the month, and beginning from 6PM local time, a message is displayed:
"Kagou-Anti-Kro$oft says not today!"
||KAK.HTA -» DAY.HTA
KAK.HTM -» DAY.HTM
requires 4088 DAT