Kak Worm
   HOME

TheInfoList



Click Here for Items Related To - Kak Worm
OR:
Kak Worm on:   [Wikipedia]   [Google]   [Amazon]

KAK (Kagou Anti Kro$oft) is a 1999
JavaScript JavaScript (), often abbreviated as JS, is a programming language and core technology of the World Wide Web, alongside HTML and CSS. Ninety-nine percent of websites use JavaScript on the client side for webpage behavior. Web browsers have ...
worm Worms are many different distantly related bilateria, bilateral animals that typically have a long cylindrical tube-like body, no limb (anatomy), limbs, and usually no eyes. Worms vary in size from microscopic to over in length for marine ...
that uses a bug in
Outlook Express Outlook Express, formerly known as Microsoft Internet Mail and News, is a discontinued email and news client included with Internet Explorer versions 3.0 to 6.0. As such, it was bundled with several versions of Microsoft Windows, from Windows ...
(CVE-1999-0668) to spread itself.


Behavior

On the first day of every month, at 6:00 pm, the worm uses SHUTDOWN.EXE to initiate a shutdown and show a popup with text "Kagou-anti-Kro$oft says not today!". A minimized window often appears on startup with the title "Driver Memory Error". Another message saying "S3 Driver Memory Alloc Failed!" occasionally pops up. The worm also adds a registry key and edits
AUTOEXEC.BAT AUTOEXEC.BAT is a system file that was originally on DOS-type operating systems. It is a plain-text batch file in the root directory of the boot device. The name of the file is an abbreviation of "automatic execution", which describes its func ...
to make Windows launch it on startup. The worm adds these commands to AUTOEXEC.BAT: 
@ECHO off C:\Windows\Start Menu\Programs\StartUp\kak.hta
 DEL C:\Windows\Start Menu\Programs\StartUp\kak.hta


Approach

KAK works by exploiting a vulnerability in
Microsoft Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated as IE or MSIE) is a retired series of graphical web browsers developed by Microsoft that were used in the Windows line of operating ...
, which Outlook Express uses to render HTML email. The vulnerability concerns the
ActiveX ActiveX is a deprecated software framework created by Microsoft that adapts its earlier Component Object Model (COM) and Object Linking and Embedding (OLE) technologies for content downloaded from a network, particularly from the World Wide W ...
control "Scriptlet.Typelib" which is usually used to create new type libraries (".tlb" files). However, the control does not set any restrictions on what content goes into the type library file or what file extension it should have. Therefore, the control can be abused to create a file with any content and with any extension. Since Microsoft did not foresee the ability to abuse the control in this way, they marked it as "safe for scripting" in Internet Explorer's default security settings. This means that scripts including this control don't need the user's permission in order to run. KAK embeds such abusive code in the signature of an email message, so that the code runs when the email is viewed or previewed in Outlook Express (because Outlook Express uses Internet Explorer to provide this view/preview functionality for HTML emails). KAK uses "Scriptlet.Typelib" to create a file called "kak.hta" in the StartUp folder. This file contains further code that will be run the next time the machine starts up. Since the HTA is not rendered in Internet Explorer but executed using
Windows Scripting Host The Microsoft Windows Script Host (WSH) (formerly named Windows Scripting Host) is an automation technology for Microsoft Windows operating systems that provides scripting abilities comparable to batch files, but with a wider range of supported fe ...
, code placed by KAK in this file has even more privileges than the code it put into the email signature. Next time the machine starts up and "kak.hta" runs, KAK performs a number of actions such as: * Setting the user's email signature to contain the code to infect other systems, so the worm can spread * Adding lines to AUTOEXEC.BAT to delete the original "kak.hta" so that the virus is more difficult to track * Creating a new "kak.hta" which runs on startup and will shut down the machine between 6pm and midnight on the first day of the month


References


External links


VBS.KAK
kak writeup and info at pchell.com
Wscript.KakWorm
on Symantec.com
JS/Kak@M
on McAfee Email worms Hacking in the 1990s {{Malware-stub