Symantec United States
 global sites
products
purchase
service and support
security updates
downloads
about symantec
search
feedback


©1995-2012 Symantec Corporation.
All rights reserved.

Legal Notices
Privacy Policy
security updates

WScript.KakWorm.B

Category 2


WScript.KakWorm.B spreads using Microsoft Outlook Express. It attaches itself to all outgoing messages using the Signature feature of Outlook Express and Internet Explorer newsgroup reader.

The worm utilizes a known Microsoft Outlook Express security hole so that a viral file is created on the system without having to run any attachment. Simply reading the received email message will cause the virus to be placed on the system.

Microsoft has patched this security hole. The patch is available at:

http://www.microsoft.com/technet/security/bulletin/ms99-032.mspx

If you have a patched version of Outlook Express, this worm will not work automatically.



NOTES:

  • This document contains information about the Wscript.KakWorm.B There are differences between Wscript.KakWorm.B (note the "B") and the original version of this worm, Wscript.KakWorm. The removal procedures are different.
  • One indication of this worm--though it does not occur on all systems--is the message "Driver or memory error" that appears briefly as Windows starts.
  • Although this worm can be forwarded or detected in email on a Windows NT system, it infects only Windows 95/98 systems.
  • While computers running either unpatched Microsoft Outlook or Outlook Express can be infected, only Outlook Express can automatically spread the infection.
  

Type: Worm
Infection Length: 4192

protection
  • Virus Definitions (Intelligent Updater)

    • July 22, 2000

    threat assessment

    Wild

    Threat Metrics
    Low Medium High

    Wild:
    Low

    Damage:
    Medium

    Distribution:
    High

    Damage

    Distribution

    technical details

    The worm appends itself as a signature to the end of legitimate outgoing messages . When receiving the message, the worm will automatically insert a copy of itself into the appropriate StartUp folder for both English and French language versions.The copy is named Day.hta.

    The worm uses a known Microsoft Outlook Express security hole, Scriptlet.Typelib, so that a viral file is created on the system without having to run any attachment. Simply reading the email message will cause the virus to be placed on the system.

    Microsoft has patched this security hole. The patch is available from the Microsoft Web site at:

    http://www.microsoft.com/technet/security/bulletin/ms99-032.mspx

    If you have a patched version of Outlook Express, this worm will not work automatically.

    .hta files are executed by current versions of Microsoft Internet Explorer and Netscape Navigator. The computer must be restarted for this file to be executed. Once executed, the worm modifies the registry key

    HKEY_CURRENT_USER/Identities//Software/Microsoft/Outlook/Express/5.0/signatures

    to add its own signature file, which is the infected Day.hta file. This causes all outgoing mail to be infected by the worm. In addition, the registry key

    HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run/cDays

    is added, which causes the worm to be executed each time that the computer is restarted.

    Finally, if it is the first of the month and the hour is 17 (5:00 P.M.), the following message is displayed:

    Days It was a day to be a days!

    and Windows is shut down.

    recommendations

    Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

    • Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
    • If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
    • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
    • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
    • Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
    • Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
    • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

    removal instructions

    The Symantec AntiVirus Research Center (SARC) has developed a tool (Fixkakb.exe) to remove the Wscript.KakWorm.B. To obtain this tool, go to the following Internet address:

    http://securityresponse.symantec.com/avcenter/tools.list.html

    If you cannot obtain the tool, or if you prefer to manually remove the worm, continue on with the solutions that follow.

    There is more than one way to manually remove this worm. In most cases it can be removed in Safe Mode. Please see Solution 1 for information on how to do this. If this does not resolve the problem, or if you prefer to work in MS-DOS mode, then please see Solution 2

    Solution 1 -- To remove this worm from within Windows, follow these instructions:

    To remove this worm, please follow the instructions in each section.

    NOTE: The procedure described in this document is complex and assumes that you are familiar with basic Windows procedures. If you are not, then we suggest that you obtain the services of a qualified computer consultant.

    Restart the computer in Safe Mode

    • Windows 95
      1. Exit all programs, and then shut down the computer.
      2. Turn off the power and wait 30 seconds. You must turn off the power to remove the virus from memory. Do not use the reset button.
      3. Press F8 when you see the "Starting Windows 95" message.
      4. Type the number for Safe Mode, then press Enter.
    • Windows 98
      1. Click Start, and click Run.
      2. Type msconfig and then click OK. The System Configuration Utility dialog box appears.
      3. Click Advanced on the General tab.
      4. Check Enable Startup Menu, click OK, and then OK again.
      5. Exit all programs, and then shut down the computer.
      6. Turn off the power and wait 30 seconds. You must turn off the power to remove the virus from memory. Do not use the reset button.
      7. Turn on the computer, and wait for the menu.
      8. Type the number for Safe Mode, and then press Enter.
    Enable show all files
    Follow these steps to make sure that Windows is set to show all files:
    1. Double-click the My Computer icon on the Windows desktop.
    2. Click the View menu, and click Options or Folder options.
    3. Click the View tab, and uncheck "Hide file extensions for known file types."
    4. Click Show all files, and then click OK.

    Find and delete files
    Follow these steps to locate and delete the files that were placed on your hard drive by the worm:
    1. Click Start, point to Find, and click Files or Folders.
    2. Make sure that Look in is set to (C:) and that Include subfolders is checked.
    3. Type day.* in the Named box, and then click Find Now.
    4. In the results pane, select each displayed file, press Delete, and then click Yes to confirm.
    5. Click New Search.
    6. Make sure that Look in is set to (C:) and that Include subfolders is checked.
    7. Type *.day in the Named box, and then click Find Now.
    8. Select each file in the results pane, press Delete, and then click Yes to confirm.
    9. Click New Search.
    10. Make sure that Look in is set to (C:) and that Include subfolders is checked.
    11. Type *.hta in the Named box, and then click Find Now.
    12. Select each file in the results pane, press Delete, and then click Yes to confirm.
    13. Right-click the Recycle Bin icon on your desktop, and then click Empty Recycle Bin.

    Remove a file entry
    Follow these steps to remove an entry from the Autoexec.bat file:
    1. Click Start, and click Run. The Run dialog box appears.
    2. Type sysedit and then click OK. The System Configuration Editor opens.
    3. Click the Autoexec.bat window.
    4. Locate and delete the line that reads:

      C:\Windows\Start Menu\Programs\StartUp\day.hta

      NOTE: Some variants of this worm insert one or both of the following lines instead of or in addition to the previous text. If you see either of these lines--or any line that refers to kak--delete it.

      @echo off C:\Windows\Start Menu\Programs\StartUp\day.hta
      Del C:\Windows\Start Menu\Programs\StartUp\day.hta
    5. Because some variants hide the kak entry elsewhere in the Autoexec.bat file, you should search the file to make sure that no entries have been missed:
      1. Make sure that the cursor is positioned at the beginning of the Autoexec.bat file.
      2. Click the Search menu, and click Find.
      3. Type day in the Find box, and then click Next.
        • If you see the message, "Cannot find 'day,'" then go on to the next step.
        • If an entry is found that contains day, delete it, and then press the F3 key to repeat the search. Keep repeating the search until all references to kak have been removed and you see the message "Cannot find 'kak.'"
    6. Exit the System Editor, and then click Yes to save changes.

    Remove an entry from the registry
    Follow these steps to remove a registry entry:

    CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.
    1. Click Start, and click Run. The Run dialog box appears.
    2. Type regedit and then click OK. The Registry Editor opens.
    3. Navigate to and click the following key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      NOTE: If you are running Windows 98, in addition to the \Run key, perform the next step on the \Run- key if it exists. (The \Run- key will exist only if you have used the System Configuration Utility to disable programs loading from the registry.)
    4. Look for the following String value in the right pane.

      cDays "C:\WINDOWS\SYSTEM\(name).hta"
    5. If it exists, select it, press Delete, and then click Yes to confirm.
    6. Navigate to and click the following subkey:

      HKeyCurrentUser/Identities/<Identity>/Software/Microsoft/Outlook Express/5.0/Signatures

      NOTES:
      • The <Identity> key will be different on each computer. It is a long string of numbers and letters in brackets, similar to: {2F3FF060-E5E4-11D3-B5CD-CC519BEAAC42}
      • Make sure that go all of the way down through the tree and that you select the /Signatures subkey. Do not delete the Identities key.
    7. Press Delete, and then click Yes to confirm.
    8. Exit the Registry Editor, and then restart your computer.

      NOTE: For Windows 98 users only: Before restarting, if you used the Microsoft System Configuration Utility to enable the Startup menu, you can disable it at this time. Please follow these steps:
      1. Click Start, and click Run.
      2. Type msconfig and then Click OK. The System Configuration Utility dialog box appears.
      3. Click Advanced on the General tab.
      4. Uncheck Enable Startup Menu, click OK, and then click OK again.
      5. Restart the computer.

    Delete infected files from Quarantine
    The files that were infected by Wscript.KakWorm are no longer necessary on your system. To permanently delete these infected files, see the document How to remove files from Norton AntiVirus Quarantine.

    Clear the Deleted Items folder
    If you do not have Outlook Express set to clear deleted email when you close the program, clear the Deleted Items folder before you send or receive email.

    Solution 2 -- To remove this worm working mostly in DOS, follow these instructions:

    To remove this worm, working mostly in MS-DOS mode, please follow the instructions in each section, in the order presented.

    NOTE: The procedure described in this document is complex and assumes that you are familiar with basic Windows and DOS procedures. If you are not, then we suggest that you obtain the services of a qualified computer consultant.
      Start the computer in MS-DOS mode
      The first part of the removal procedure must be performed in MS-DOS mode. Please follow these steps:
      • Windows 95
        1. If the computer is running, close all programs. If possible, shut down Windows.
        2. Turn off the computer, and wait thirty seconds. You must turn off the power to clear memory. Do not use the reset button.
        3. Restart the computer, and watch the screen. When you see "Starting Windows 95," press F8.
        4. Select "Safe Mode Command Prompt Only" from the startup menu, and then press Enter.
      • Windows 98
        1. If the computer is running, close all programs. If possible, shut down Windows.
        2. Turn off the computer and wait thirty seconds. You must turn off the power to clear memory. Do not use the reset button.
        3. Restart the computer, and immediately press and hold down the Ctrl key until the Windows 98 startup menu appears.
        4. Select "Safe Mode Command Prompt Only" from the startup menu, and then press Enter.

      Remove infected files in MS-DOS mode
      At the DOS prompt, which should appear similar to C:\> , type the following commands in the sequence shown. Press Enter after each one.
        NOTE: These instructions assume that the path to your windows folder is C:\Windows. If you installed Windows in a different folder (for example, C:\Win95), then modify the commands that refer to the Windows folder accordingly.

      edit autoexec.bat

      The DOS editor opens. Delete or remark out any lines with entries that refer to C:\Windows\Start Menu\Programs\StartUp\kak.hta. After removing the lines, press Alt+F to access the File menu, and then press S to save the file. Next, press Alt+F, and then press X to exit the DOS editor.

      cd windows
      attrib -s -h -r day.htm
      del c:\windows\day.htm
      cd system
      attrib -s -h -r *.hta
      del *.hta
      cd..
      cd startm~1
      cd programs
      cd startup
      attrib -s -h -r day.hta
      del day.hta

      Turn off the computer, wait at least 30 seconds, and then restart the computer. Do not use the reset button. When Windows starts, go on to the next section.

      NOTE: If after restarting the computer, you see a blank <name>.hta screen opening at startup, repeat the previous steps.

      Remove an entry from the registry
      You need to remove a registry entry. Please follow these steps:

      CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.
      1. Click Start, and click Run. The Run dialog box appears.
      2. Type regedit and then click OK. The Registry Editor opens.
      3. Navigate to and click the following key:

        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

        NOTE: If you are running Windows 98, in addition to the \Run key, perform the next step on the \Run- key if it exists. (The \Run- key will exist only if you have used the System Configuration Utility to disable programs loading from the registry.)
      4. Look for the following String value in the right pane.

        cDays "C:\WINDOWS\SYSTEM\(name).hta"
      5. If it exists, select it, press Delete, and then click Yes to confirm.
      6. Navigate to and click the following subkey:

        HKeyCurrentUser/Identities/<Identity>/Software/Microsoft/Outlook Express/5.0/Signatures

        NOTES:
        • The <Identity> key will be different on each computer. It is a long string of numbers and letters in brackets, similar to: {2F3FF060-E5E4-11D3-B5CD-CC519BEAAC42}
        • Make sure that go all of the way down through the tree and that you select the /Signatures subkey. Do not delete the Identities key.
      7. Press Delete, and then click Yes to confirm.
      8. Exit the Registry Editor.

      Delete infected files from Quarantine
      The files that were infected by Wscript.KakWorm are no longer necessary on your system. To permanently delete these infected files, see the document How to remove files from Norton AntiVirus Quarantine.

      Clear the Deleted Items folder
      If you do not have Outlook Express set to clear deleted email when you close the program, clear the Deleted Items folder before you send or receive email.

      Additional information:

      Additional precautions that you can take:
      Some threats, such as this one, use the VBScript computer language to run. You can protect yourself from threats that use this language by enabling Script Blocking (Norton AntiVirus 2001/2002) or by disabling or uninstalling the Windows Scripting Host. Because the Windows Scripting Host is an optional part of Windows, it can be safely removed from your computer. (Some programs, however, need Windows Scripting Host in order to function properly.)

      • If you are using Norton AntiVirus 2002, which includes Script Blocking, make sure that Script Blocking is enabled (the default).
      • If you are using Norton AntiVirus 2001, a free program update that includes Script Blocking is available. Please run LiveUpdate to obtain this.
      • For other versions of Norton AntiVirus, SARC offers a tool to disable the Windows Scripting Host.
      • To disable the Windows Scripting Host in Microsoft Outlook Express only, see the Microsoft Knowledge Base document OLEXP: How to Disable Active Scripting in Outlook Express, Article ID: Q192846.



      Write-up by: Douglas Knowles