Symantec United States
global sites
products
purchase
service and support
security updates
downloads
about symantec
search
feedback


©1995-2014 Symantec Corporation.
All rights reserved.

Legal Notices
Privacy Policy

security updates

Wscript.KakWorm

Category 2


Wscript.KakWorm spreads using Microsoft Outlook Express. It attaches itself to all outgoing messages using the Signature feature of Outlook Express and Internet Explorer newsgroup reader.
The worm utilizes a known Microsoft Outlook Express security hole so that a viral file is created on the system without having to run any attachment. Simply reading the received email message causes the virus to be placed on the system.
Microsoft has patched this security hole. The patch is available at:

http://www.microsoft.com/technet/ie/tools/scrpteye.asp

If you have a patched version of Outlook Express, this worm will not work automatically.

Symantec has also created an interactive tutorial to help you get rid of this worm.

NOTES:

  • This document contains information about the Wscript.KakWorm. There are differences between Wscript.KakWorm and the next major variant of this worm, Wscript.KakWorm.B (note the "B"). The removal procedures are different.
  • Although this worm can be forwarded or detected in email on a Windows NT or Windows 2000 system, it infects only Windows 95/98 systems.
  • If Norton AntiVirus has detected the Wscript.KakWorm and you cannot download email, then see the document Cannot download email after you delete or quarantine an email message infected with the Wscript.KakWorm.
  • While computers running either unpatched Microsoft Outlook or Outlook Express can be infected, only Outlook Express can automatically spread the infection.
  • One indication of this worm--though it does not occur on all systems--is the message "Driver or memory error" that appears briefly as Windows starts.
 

Also Known As: VBS.Kak.Worm, VBS.Kak.Worm.dr, Kagou-Anti-Krosoft, Wscript.Kak.A, JS/Kak.Worm [Panda], Mid/Kakworm, JS_KAKWORM.A [Trend], I-Worm.KakWorm [Kaspersky], JS/Kak@M [McAfee], VBS/Kakworm [Sophos]
Type: Worm
Infection Length: 4,116 Bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
CVE References: CVE-1999-0668

protection
  • Virus Definitions (LiveUpdate™ Weekly)
  • December 30, 1999

  • Virus Definitions (Intelligent Updater)
  • December 30, 1999

    threat assessment

    Wild

    Threat Metrics

    Low Medium High

    Wild:
    Low

    Damage:
    Medium

    Distribution:
    High

    Damage

    Distribution

    technical details

    Wscript.KakWorm is a worm. It spreads using Microsoft Outlook Express. The worm attaches itself to all outgoing messages using the Signature feature of Outlook Express. Signatures enable you to automatically append information at the end of all outgoing messages.

    This worm uses three files to deliver its payload. The file extensions are:

    • .hta
    • .reg
    • .bat

    The message that contains this worm is written in an HTML format that supports scripting. It uses a security hole in Microsoft Outlook/Outlook Express that is known as "Scriptlet TypeLib," and it places a shortcut to an .hta file in the StartUp folder. The next time the computer is restarted, the .hta file is run.

    NOTE: While computers running either unpatched Microsoft Outlook or Outlook Express can be infected, only Outlook Express can automatically spread the infection.

    This worm can reinfect your computer if it is displayed in the preview pane of Outlook Express. This can happen when switching between folders. (This means that a viral file can be created on the system without having to open an attachment.) This can be prevented by applying Microsoft's security update patch. With this update, you are asked whether you want to run the ActiveX control which is marked "safe for scripting."

    If you have a patched version of Outlook Express, then this worm will not affect you. To obtain the Microsoft patch, go to http://www.microsoft.com/TechNet/IE/tools/scrpteye.asp. Additional information is available at this location. Most users will want to download the Intel version.

    If a system is infected, then there will be no real indication of this until the first day of any given month. On the first of the month you will see the following message:

    "Kagou-Anti-Kro$oft says not today!"

    If you click OK, the computer shuts down. This window returns each time you start Windows.

    NOTE: As noted previously, Wscript.KakWorm is spread as part of an email message--not an attachment. If, however, your email program or the email server that handles the message is not set up for or capable of handling HTML encoded messages, the program or server will convert the encoded message to an attachment. This attachment usually has a name such as Att1.htm. If you open the attachment, it can have the same effect as if you received the email message with the worm embedded.

    recommendations

    Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

    • Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
    • If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
    • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
    • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
    • Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
    • Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
    • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

    removal instructions

    There is more than one way to remove this worm:

    • Use the Wscript.KakWorm Repair Tool created by the Symantec AntiVirus Research Center. This is the preferred method for repairing the damage done by the worm in most cases.
    • Repair the damage manually. In most cases it can be removed in Safe Mode. Please see Solution 1 for information on how to do this. If this does not resolve the problem, or if you prefer to work in MS-DOS mode, then please see Solution 2.

      NOTES:
      • The procedure described in this document is complex and assumes that you are familiar with basic Windows and DOS procedures. If you are not, then we suggest that you obtain the services of a computer consultant.
      • In some cases, if you are using Microsoft Outlook Express or Netscape Communicator, when you receive a message infected
    • Wscript.KakWorm, your email inbox can be quarantined. If this is the case, also see the document Netscape or Outlook Express Inbox is quarantined when infected email is detected.

    Solution 1 -- How to remove this worm from within Windows
    • Delete all files detected as kakworm, kakworm.dr, etc.
    • Restart the computer in Safe mode.
    • Enable show all files.
    • Find and delete the kak.*, *.kak, and *.hta files.
    • Remove the worm entry from the Autoexec.bat file.
    • Remove the worm entry from the registry.
    • Delete infected files from Quarantine.
    • Clear deleted items folder.
    • Install the Microsoft patch.
    • Take action after installing the Microsoft patch.

    To restart the computer in Safe mode:
    • If you are using Windows 95, follow these steps:
      1. Exit all programs, and then shut down the computer.
      2. Turn off the power and wait 30 seconds. You must turn off the power to remove the virus from memory. Do not use the reset button.
      3. Press F8 when you see the message "Starting Windows 95."
      4. Press the number that corresponds to Safe Mode, and then press Enter.
    • If you are using Windows 98, then follow these steps:
      1. Click Start, and click Run.
      2. Type msconfig and then Click OK. The System Configuration Utility dialog box appears.
      3. Click Advanced on the General tab.
      4. Check Enable Startup Menu, click OK, and then OK again.
      5. Exit all programs, and then shut down the computer.
      6. Turn off the power and wait 30 seconds. You must turn off the power to remove the virus from memory. Do not use the reset button.
      7. Turn on the computer, and wait for the menu.
      8. Press the number that corresponds to Safe Mode, and then press Enter.

    To enable show all files:
    Follow these steps to make sure that Windows is set to show all files:
    1. Start Windows Explorer.
    2. Click the View menu (or the Tools menu in Windows Me), and click Options or Folder options.
    3. Click the View tab, and make sure that "Hide file extensions for known file types" is unchecked.
    4. Do one of the following:
      • Windows 95/98
        Under the "Hidden files" folder, click Show all files.
      • Windows Me
        Uncheck "Hide protected operating system files," and under the "Hidden files" folder click "Show hidden files and folders."
    5. Click Apply, and then click OK.

    To find and delete worm files:
    1. Click Start, point to Find, and click Files or Folders.
    2. Make sure that Look in is set to (C:) and that Include subfolders is checked.
    3. Type kak.* in the Named box, and then click Find Now.
    4. In the results pane, select each file, press Delete, and then click Yes to confirm.
    5. Click New Search.
    6. Make sure that Look in is set to (C:) and that Include subfolders is checked.
    7. Type *.kak in the Named box, and then click Find Now.
    8. Select each file in the results pane, press Delete, and then click Yes to confirm.
    9. Click New Search.
    10. Make sure that Look in is set to (C:) and that Include subfolders is checked.
    11. Type *.hta in the Named box, and then click Find Now.
    12. Select each file in the results pane, press Delete, and then click Yes to confirm.
    13. Right-click the Recycle Bin icon on the desktop, and click Empty Recycle Bin.

    To remove the worm entry from the Autoexec.bat file:
    Follow the instructions for your operating system.
    • Windows 95/98
      1. Click Start, and click Run. The Run dialog box appears.
      2. Type sysedit and then click OK. The System Configuration Editor opens.
      3. Click the Autoexec.bat window.
      4. Locate and delete the line that reads

        C:\Windows\Start Menu\Programs\StartUp\kak.hta

        NOTE: Some variants of this worm insert one or both of the following lines instead of or in addition to the previous text. If you see either of these lines--or any line that refers to kak--then it should be deleted.

        @echo off C:\Windows\Start Menu\Programs\StartUp\kak.hta
        Del C:\Windows\Start Menu\Programs\StartUp\kak.hta

      5. Because some variants hide the kak entry elsewhere in the Autoexec.bat file, search the file to make sure that no entries have been missed:
        1. Make sure that the cursor is positioned at the beginning of the Autoexec.bat file.
        2. Click Search, and click Find.
        3. Type kak in the Find box, and then click Next.
          • If you see the message, "Cannot find 'kak'," exit the System Editor, and then click Yes to save changes.
          • If an entry is found that contains kak, delete it, and then press the F3 key to repeat the search. Keep repeating the search until all references to kak have been removed and you see the message "Cannot find kak." Exit the System Editor, and then click Yes to save changes.
    • Windows Me
      1. Click Start, and click Run.
      2. Type the following and then click OK.

        edit c:\autoexec.bat

        The MS-DOS Editor opens.
      3. Locate and delete the line that reads

        C:\Windows\Start Menu\Programs\StartUp\kak.hta

        NOTE: Some variants of this worm insert one or both of the following lines instead of or in addition to the previous text. If you see either of these lines--or any line that refers to kak--then it should be deleted.

        @echo off C:\Windows\Start Menu\Programs\StartUp\kak.hta
        Del C:\Windows\Start Menu\Programs\StartUp\kak.hta

      4. Because some variants hide the kak entry elsewhere in the Autoexec.bat file, search the file to make sure that no entries have been missed:
        1. Make sure that the cursor is positioned at the beginning of the Autoexec.bat file.
        2. Click Search, and click Find.
        3. On the Find What line, type kak and then click OK.
          • If you see the message, "Edit was unable to find a match, " click OK and then click Cancel. Click File and then click Exit. Click Yes to save the changes.
          • If an entry is found that contains kak, delete it, and then press the F3 key to repeat the search. Keep repeating the search until all references to kak have been removed and you see the message "Edit was unable to find a match." When you do, click OK and then click Cancel. Click File and then click Exit. Click Yes to save the changes.

    To remove the worm entry from the registry:

    CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed.
    1. Click Start, and click Run. The Run dialog box appears.
    2. Type regedit and then click OK. The Registry Editor opens.
    3. Navigate to and click the following key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      NOTE: If you are using Windows 98, in addition to the \Run key, perform the next step on the \Run- key if it exists. (The \Run- key will exist only if you have used the System Configuration Utility to disable programs loading from the registry.)
    4. Look for the following String value in the right pane.

      cAg0u "C:\WINDOWS\SYSTEM\(name).hta"
    5. If it exists, click it, press Delete, and then click Yes to confirm.
    6. Navigate to and click the following subkey:

      HKEY_CURRENT_USER\Identities\<Identity>\Software\Microsoft\Outlook Express\5.0\Signatures

      NOTES:
      • The <Identity> key will be different on each computer. It is a long string of numbers and letters in brackets, similar to {2F3FF060-E5E4-11D3-B5CD-CC519BEAAC42}
      • Make sure that you go all of the way down through the keys and that you select the \Signatures subkey. Do not delete the Identities key itself.
    7. Press Delete, and then click Yes to confirm.
    8. Exit the Registry Editor, and then restart your computer.

      NOTE: (For Windows 98 users only) Before restarting, if you used the Microsoft System Configuration Utility to enable the Startup menu, you can disable it at this time. Follow these steps:
      1. Click Start, and click Run.
      2. Type msconfig and then Click OK. The System Configuration Utility dialog box appears.
      3. Click Advanced on the General tab.
      4. Uncheck Enable Startup Menu, click OK, and then click OK again.
      5. Restart the computer.

    To delete worm-infected files from Quarantine:
    The files that were infected by Wscript.KakWorm are no longer necessary on your system. To permanently delete these infected files, see the document How to remove files from Norton AntiVirus Quarantine.

    To clear the deleted items folder:
    If you do not have Outlook or Outlook Express set to clear deleted email when you close the program, then clear this folder before you send or receive email.

    CAUTION: Before you do this, turn off the preview pane option. If you do not, then you risk reinfection.
    • In Microsoft Outlook, click the View menu and make sure that the Preview Pane menu item is not selected.
    • In Outlook Express, click the View menu, and click Layout. Uncheck Show Preview Pane.

    To install the Microsoft patch:
    If you have not already done so, install the Microsoft Scripting update, which is available at
    http://www.microsoft.com/technet/ie/tools/scrpteye.asp

    For help with this, see the document How to download and install the Microsoft Scripting update.

    What to do after installing the Microsoft patch
    After you have removed the worm and installed the Microsoft security patch, do the following any time that NAV detects an email message infected with the Wscript.KakWorm:
    1. Note which specific message is infected.
    2. Click "Ignore the problem and continue with the infected file."

      NOTE: Any other action will disrupt the message index and the downloaded messages will not be cleaned from the email server. The next time that you download mail, you will have all of the previous message including those infected with Wscript.KakWorm.
    3. When you open or preview the infected message, you will see the message "An active X control on this page is not safe: Your current security settings prohibit running unsafe controls on this page, as a result this page may not display as intended." Delete any such infected message and empty your email trash folder.
    4. If you know who sent you the email, contact them and tell them that their system is infected by this worm.

    Solution 2--How to remove this worm (mostly in MS-DOS mode)
    • Start the computer in MS-DOS mode.
    • Remove the worm entry from the Autoexec.bat file.
    • Remove worm-infected files in MS-DOS mode.
    • Remove the worm entry from the registry.
    • Delete worm-infected files from Quarantine.
    • Clear deleted items folder.
    • Install the Microsoft patch.
    • Take action after installing the Microsoft patch.

    To start the computer in MS-DOS mode:
    • If you are using Windows 95, then follow these steps:
      1. If the computer is on, close all programs, and then, if possible, shut down Windows.
      2. Turn off the computer and wait thirty seconds. You must turn off the power to clear memory. Do not press the reset button.
      3. Restart the computer and watch the screen. When you see "Starting Windows 95," press F8.
      4. Select "Safe Mode Command Prompt Only" from the startup menu, and then press Enter.
    • If you are using Windows 98, then follow these steps:
      1. If the computer is on, close all programs, and then, if possible, shut down Windows.
      2. Turn off the computer and wait thirty seconds. You must turn off the power to clear memory. Do not press the reset button.
      3. Restart the computer and immediately press and hold down the Ctrl key until the Windows 98 startup menu appears.
      4. Select "Safe Mode Command Prompt Only" from the startup menu, and then press Enter.

    To remove the worm entry from the Autoexec.bat file:
    1. At the DOS prompt, type edit autoexec.bat and then press Enter. The DOS editor opens.
    2. Delete or remark out any lines with entries that refer to C:\Windows\Start Menu\Programs\StartUp\kak.hta.
    3. Press Alt+F, and then press S to save the file.
    4. Press Alt+F, and then press X to exit the DOS editor.

    To remove worm-infected files in MS-DOS mode:

    NOTE: These instructions assume that the path to your Windows folder is C:\Windows. If you installed Windows to a different folder, such as C:\Win95, then modify the commands that refer to the Windows folder accordingly.
    1. Type the following commands in the sequence shown. Press Enter after each one.
      cd windows
      attrib -s -h -r kak.htm
      del c:\windows\kak.htm
      cd system
      attrib -s -h -r *.hta
      del *.hta
      cd..
      cd startm~1
      cd programs
      cd startup
      attrib -s -h -r kak.hta
      del kak.hta
    2. Turn off the computer and wait at least 30 seconds. Do not use the reset button.
    3. Restart the computer. When Windows starts, proceed to the next section.

      NOTE: If after restarting the computer, you see a blank <name>.hta screen opening at startup, repeat the previous steps.

    To remove the worm entry from the registry:

    CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed.
    1. Click Start, and click Run. The Run dialog box appears.
    2. Type regedit and then click OK. The Registry Editor opens.
    3. Navigate to and click the following key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      NOTE: If you are using Windows 98, in addition to the \Run key, perform the next step on the \Run- key if it exists. (The \Run- key will exist only if you have used the System Configuration Utility to disable programs loading from the registry.)
    4. Look for the following String value in the right pane.

      cAg0u "C:\WINDOWS\SYSTEM\(name).hta"
    5. If it exists, select it, press Delete, and then click Yes to confirm.
    6. Navigate to and click the following subkey:

      HKEY_CURRENT_USER\Identities\<Identity>\Software\Microsoft\Outlook Express\5.0\Signatures

      NOTES:
      • The <Identity> key will be different on each computer. It is a long string of numbers and letters in brackets, similar to {2F3FF060-E5E4-11D3-B5CD-CC519BEAAC42}
      • If you have multiple accounts, then you may have more than one <Identity> key. If this is the case, then you must do this for each one.
      • Make sure that you go all of the way down through the keys and that you select the \Signatures subkey. Do not delete the Identities key itself.
    7. Press Delete, and then click Yes to confirm.
    8. Exit the Registry editor.

    To delete infected files from Quarantine:
    The files that were infected by Wscript.KakWorm are no longer necessary on your system. To permanently delete these infected files, see the document How to remove files from Norton AntiVirus Quarantine.

    To clear the deleted items folder:
    If you do not have Outlook Express set to clear deleted email messages when you close the program, then empty this folder before you send or receive email.

    To install the Microsoft patch:
    If you have not already done so, then install the Microsoft Scripting update, which is available at the following Internet address:
    http://www.microsoft.com/TechNet/IE/tools/scrpteye.asp

    For help with this, see the document How to download and install the Microsoft Scripting update.

    What to do after installing the Microsoft patch
    After you have removed the worm and installed the Microsoft security patch, do the following any time that NAV detects an email infected with the Wscript.KakWorm:
    1. Note which specific email message is infected.
    2. Click "Ignore the problem and continue with the infected file."

      NOTE: Any other action will disrupt the message index and the downloaded messages will not be cleaned from the email server. The next time that you download mail, you will have all of the previous message including those infected with Wscript.KakWorm.
    3. When you open or preview the infected message, you will see the message "An active X control on this page is not safe: Your current security settings prohibit running unsafe controls on this page, as a result this page may not display as intended." Delete any such infected message and empty your email trash folder.
    4. If you know who sent you the message, contact them and tell them that their system is infected by this worm.

    Additional information:

    Additional precautions that you can take:
    Some threats, such as this one, use the VBScript computer language to run. You can protect yourself from threats that use this language by enabling Script Blocking (Norton AntiVirus 2001/2002) or by disabling or uninstalling the Windows Scripting Host. Because the Windows Scripting Host is an optional part of Windows, it can be safely removed from your computer. (Some programs, however, need Windows Scripting Host in order to function properly.)

    • If you are using Norton AntiVirus 2002, which includes Script Blocking, make sure that Script Blocking is enabled (the default).
    • If you are using Norton AntiVirus 2001, a free program update that includes Script Blocking is available. Please run LiveUpdate to obtain this.
    • For other versions of Norton AntiVirus, SARC offers a tool to disable the Windows Scripting Host.
    • To disable the Windows Scripting Host in Microsoft Outlook Express only, see the Microsoft Knowledge Base document OLEXP: How to Disable Active Scripting in Outlook Express, Article ID: Q192846.

    Revision History:

    • June 24, 2002: Downgraded from Category 3 to Category 2 based on decreased rate of submissions.
    • December 10, 2001: Downgraded from Category 4 to Category 3 based on decreased rate of submissions.


    Write-up by: Eric Chien