KAK @M virus 
Author Message
 KAK @M virus

I have McAfee installed with latest DAT files but It does not clean my
....\Programmes\Startup\ Kak.hta virus warnings.
I thought McAfee should have cleared it so any help would be very welcome.

Thanks



Wed, 09 Apr 2003 03:00:00 GMT  
 KAK @M virus

Go here.

Click on K for Kak.  You will find the information is VERY comprehensive.

There are reg files available for download which will assist in cleaning up your computer.

Make sure you follow the instructions EXACTLY to prevent reinfection.

--

Please do not send an email unless asked to do so.
________________________________________
Sandi
Microsoft MVP (Internet Explorer and Outlook Express)
http://members.iinet.net.au/~sandi/MVP/index.htm

Quote:

> I have McAfee installed with latest DAT files but It does not clean my
> ....\Programmes\Startup\ Kak.hta virus warnings.
> I thought McAfee should have cleared it so any help would be very welcome.

> Thanks



Wed, 09 Apr 2003 03:00:00 GMT  
 KAK @M virus
Thanks.
Will I be able to follow what has to be done?  I am absolutely green at all
this.
I have no idea what  reg files are.  Does that matter?

By 'here', I assume you mean the msnews address but please confirm



Go here.

Click on K for Kak.  You will find the information is VERY comprehensive.

There are reg files available for download which will assist in cleaning up
your computer.

Make sure you follow the instructions EXACTLY to prevent reinfection.

--

Please do not send an email unless asked to do so.
________________________________________
Sandi
Microsoft MVP (Internet Explorer and Outlook Express)
http://members.iinet.net.au/~sandi/MVP/index.htm


Quote:
> I have McAfee installed with latest DAT files but It does not clean my
> ....\Programmes\Startup\ Kak.hta virus warnings.
> I thought McAfee should have cleared it so any help would be very welcome.

> Thanks



Wed, 09 Apr 2003 03:00:00 GMT  
 KAK @M virus

Oops, I forgot the link <blushing>

http://www.vet.com.au/html/vvcc/anti-virus/zoo/index.html

--

Please do not send an email unless asked to do so.
________________________________________
Sandi
Microsoft MVP (Internet Explorer and Outlook Express)
http://members.iinet.net.au/~sandi/MVP/index.htm

Quote:

> Thanks.
> Will I be able to follow what has to be done?  I am absolutely green at all
> this.
> I have no idea what  reg files are.  Does that matter?

> By 'here', I assume you mean the msnews address but please confirm



> Go here.

> Click on K for Kak.  You will find the information is VERY comprehensive.

> There are reg files available for download which will assist in cleaning up
> your computer.

> Make sure you follow the instructions EXACTLY to prevent reinfection.

> --

> Please do not send an email unless asked to do so.
> ________________________________________
> Sandi
> Microsoft MVP (Internet Explorer and Outlook Express)
> http://members.iinet.net.au/~sandi/MVP/index.htm



> > I have McAfee installed with latest DAT files but It does not clean my
> > ....\Programmes\Startup\ Kak.hta virus warnings.
> > I thought McAfee should have cleared it so any help would be very welcome.

> > Thanks



Wed, 09 Apr 2003 03:00:00 GMT  
 KAK @M virus

Terrific.  That's a fantastic site.   Wish me luck !



Oops, I forgot the link <blushing>

http://www.vet.com.au/html/vvcc/anti-virus/zoo/index.html

--

Please do not send an email unless asked to do so.
________________________________________
Sandi
Microsoft MVP (Internet Explorer and Outlook Express)
http://members.iinet.net.au/~sandi/MVP/index.htm


Quote:
> Thanks.
> Will I be able to follow what has to be done?  I am absolutely green at
all
> this.
> I have no idea what  reg files are.  Does that matter?

> By 'here', I assume you mean the msnews address but please confirm



> Go here.

> Click on K for Kak.  You will find the information is VERY comprehensive.

> There are reg files available for download which will assist in cleaning
up
> your computer.

> Make sure you follow the instructions EXACTLY to prevent reinfection.

> --

> Please do not send an email unless asked to do so.
> ________________________________________
> Sandi
> Microsoft MVP (Internet Explorer and Outlook Express)
> http://members.iinet.net.au/~sandi/MVP/index.htm



> > I have McAfee installed with latest DAT files but It does not clean my
> > ....\Programmes\Startup\ Kak.hta virus warnings.
> > I thought McAfee should have cleared it so any help would be very
welcome.

> > Thanks



Thu, 10 Apr 2003 03:00:00 GMT  
 KAK @M virus

Good luck.

--

Please do not send an email unless asked to do so.
________________________________________
Sandi
Microsoft MVP (Internet Explorer and Outlook Express)
http://members.iinet.net.au/~sandi/MVP/index.htm

Quote:

> Terrific.  That's a fantastic site.   Wish me luck !



> Oops, I forgot the link <blushing>

> http://www.vet.com.au/html/vvcc/anti-virus/zoo/index.html

> --

> Please do not send an email unless asked to do so.
> ________________________________________
> Sandi
> Microsoft MVP (Internet Explorer and Outlook Express)
> http://members.iinet.net.au/~sandi/MVP/index.htm



> > Thanks.
> > Will I be able to follow what has to be done?  I am absolutely green at
> all
> > this.
> > I have no idea what  reg files are.  Does that matter?

> > By 'here', I assume you mean the msnews address but please confirm



> > Go here.

> > Click on K for Kak.  You will find the information is VERY comprehensive.

> > There are reg files available for download which will assist in cleaning
> up
> > your computer.

> > Make sure you follow the instructions EXACTLY to prevent reinfection.

> > --

> > Please do not send an email unless asked to do so.
> > ________________________________________
> > Sandi
> > Microsoft MVP (Internet Explorer and Outlook Express)
> > http://members.iinet.net.au/~sandi/MVP/index.htm



> > > I have McAfee installed with latest DAT files but It does not clean my
> > > ....\Programmes\Startup\ Kak.hta virus warnings.
> > > I thought McAfee should have cleared it so any help would be very
> welcome.

> > > Thanks



Thu, 10 Apr 2003 03:00:00 GMT  
 KAK @M virus


Quote:
> I have McAfee installed with latest DAT files but It does not clean my
> ....\Programmes\Startup\ Kak.hta virus warnings.
> I thought McAfee should have cleared it so any help would be very

welcome.

You will have to add HT? to the extension list as well to fully detect
this. You should also ensure that the following extensions are added as
well:
BAT COM DO? EXE HLP HT? INI JS? OLE PIF POT PP? RTF SCR SH? VB? XL?

There are other extensions that can be infected but those are the ones
that are absolutely vital to ensure that you're scanning.

Also, keep in mind that antivirus software will usually not scan the
message bodies of your Inbox, so you must install the security patch
from Microsoft in order to keep from getting reinfected.

Sent via Deja.com http://www.deja.com/
Before you buy.



Thu, 10 Apr 2003 03:00:00 GMT  
 KAK @M virus

Quote:

> Also, keep in mind that antivirus software will usually not scan the
> message bodies of your Inbox, so you must install the security patch
> from Microsoft in order to keep from getting reinfected.

I beg your pardon?  What AV programme are you using?  

Any antivirus programme that does not scan emails is not worth buying - unless you are saying that a programme does not scan the email until you try to access it. That is not unusual, and absolutely nothing to worry about.

You cannot be infected by a viral email unless you try to preview it, read it or open the attachment, depending on the type of virus and all antivirus programmes should scan an email as it is opened.  If it doesn't - dump the programme as worthless.  Just yesterday a sample of KAK was sent to where I work, and the antivirus spotted it and locked out the email as soon as you clicked on the header to preview the message.

Setting OE to restricted zone and turning off scripting is sufficient to stop KAK type viruses if your AV is not up to date.

--

Please do not send an email unless asked to do so.
________________________________________
Sandi
Microsoft MVP (Internet Explorer and Outlook Express)
http://members.iinet.net.au/~sandi/MVP/index.htm



Thu, 10 Apr 2003 03:00:00 GMT  
 KAK @M virus


Quote:



> > Also, keep in mind that antivirus software will usually not scan the
> > message bodies of your Inbox, so you must install the security patch
> > from Microsoft in order to keep from getting reinfected.

> I beg your pardon?  What AV programme are you using? =20

> Any antivirus programme that does not scan emails is not worth
buying - =
> unless you are saying that a programme does not scan the email until
you =
> try to access it. That is not unusual, and absolutely nothing to
worry =
> about.=20

> You cannot be infected by a viral email unless you try to preview it,
=
> read it or open the attachment, depending on the type of virus and
all =
> antivirus programmes should scan an email as it is opened.  If it =
> doesn't - dump the programme as worthless.  Just yesterday a sample
of =
> KAK was sent to where I work, and the antivirus spotted it and locked
=
> out the email as soon as you clicked on the header to preview the =
> message.

I admit I wasn't very clear. Until recently, with viruses like Kak, it
wasn't necessary to scan message bodies, only attachments. Scanning e-
mail could have several meanings.

1. It could scan traffic at the Network level, while your e-mail
program is downloading the e-mail. If the product scans message bodies,
the infected e-mail may not reach your Inbox at all. Such protection
would be limited to specific e-mail protocols, and may not scan message
bodies.

2. It could scan the e-mails at the Inbox level, either by scanning the
entire Inbox, or by using hooks in the e-mail programs. If it was using
hooks into the e-mail program, the protection would be limited to
specific known e-mail programs that were hookable.

3. It could do scans at the file level as they are opened, created, or
modified, but without any specific knowledge of the specific e-mail
program or attachment format. It would detect e-mail attachments as
they are decoded and saved to disk. That would be sufficient to prevent
any viruses in attachments from running. For viruses in the message
body, like Kak, it wouldn't stop the script from running, but it  would
detect KAK.HTA as soon as it is created in the StartUp folder, before
it has a chance to run, and thus prevent a real infection.

Point being, that until KAK.HTA is created in the StartUp folder,
there's no guaranteed way to catch it before that, and as long as your
antivirus program is scanning files as they are created and read, and
is scanning the right extensions, it will catch KAK.HTA, and any other
file received as an e-mail attachment, before it has a chance to really
run.

Ok, some people will consider KAK.HTA in the StartUp folder as being
infected, even if it's immediately caught by antivirus software, and
that's why I recommend that users install the patch from Microsoft.

Quote:
> Setting OE to restricted zone and turning off scripting is sufficient
to =
> stop KAK type viruses if your AV is not up to date.

I agree with you there, I recommend that people should disable
scripting in the "Restricted Sites" zone and set e-mail and newsgroups
to run in the "Restricted Sites" zone. But people should still install
the patch from Microsoft; there have been web pages that use the same
security hole as Kak to install trojans, and most people do can't turn
off scripting for Web sites, because so many web sites insist that
scripting be enabled.

Sent via Deja.com http://www.deja.com/
Before you buy.



Thu, 10 Apr 2003 03:00:00 GMT  
 KAK @M virus


Quote:



> > Also, keep in mind that antivirus software will usually not scan the
> > message bodies of your Inbox, so you must install the security patch
> > from Microsoft in order to keep from getting reinfected.

> I beg your pardon?  What AV programme are you using? =20

> Any antivirus programme that does not scan emails is not worth
buying - =
> unless you are saying that a programme does not scan the email until
you =
> try to access it. That is not unusual, and absolutely nothing to
worry =
> about.=20

> You cannot be infected by a viral email unless you try to preview it,
=
> read it or open the attachment, depending on the type of virus and
all =
> antivirus programmes should scan an email as it is opened.  If it =
> doesn't - dump the programme as worthless.  Just yesterday a sample
of =
> KAK was sent to where I work, and the antivirus spotted it and locked
=
> out the email as soon as you clicked on the header to preview the =
> message.

I am also curious about your experience with Kak; what antivirus were
you using? What e-mail program? Did it detect the KAK.HTA in the
startup folder, or did it tell you that your entire e-mail Inbox was
what was infected, or did name what specific e-mail was infected?

Sent via Deja.com http://www.deja.com/
Before you buy.



Thu, 10 Apr 2003 03:00:00 GMT  
 KAK @M virus

Quote:

> I am also curious about your experience with Kak; what antivirus were
> you using? What e-mail program? Did it detect the KAK.HTA in the
> startup folder, or did it tell you that your entire e-mail Inbox was
> what was infected, or did name what specific e-mail was infected?

1)  Antivirus used: VET Antivirus on one system, InoculateIT on another

2)  Email programme:  GroupWise on one system; Outlook Express on another

3)  KAK in startup folder: It didn't get that far - virus was detected before it could install

4)  Did it tell you your entire inbox was infected - no to both programmes

5)  Did it name a specific email - yes to both programmes

--

Please do not send an email unless asked to do so.
________________________________________
Sandi
Microsoft MVP (Internet Explorer and Outlook Express)
http://members.iinet.net.au/~sandi/MVP/index.htm



Fri, 11 Apr 2003 03:00:00 GMT  
 KAK @M virus

Quote:
> > > Also, keep in mind that antivirus software will usually not scan the
> > > message bodies of your Inbox, so you must install the security patch
> > > from Microsoft in order to keep from getting reinfected.

Well, short of being rude, lets just say "nonsense".

Quote:
> I am also curious about your experience with Kak; what antivirus were
> you using? What e-mail program? Did it detect the KAK.HTA in the
> startup folder, or did it tell you that your entire e-mail Inbox was
> what was infected, or did name what specific e-mail was infected?

Network Associates Total Virus Defence with Microsoft Outlook mail clients.

Attachment based virii can be blocked on submission to the Information
Store.  Message based virii are detected (provided appropriate signatures
are installed) on access using MAPI **running on the mailserver**.  Infected
messages are never allowed to leave the Information Store and are
subsequently quarantined.

Clients can not be infected by attachment based virii or message based virii
for which known signatures are installed.

Best regards,

John.



Fri, 11 Apr 2003 03:00:00 GMT  
 KAK @M virus

Hi all ,

I have suprized all happaned / tolked about KAK here...

We have been facing with KAK in several names of the Variants / Aliases such
as , JS/Kak.worm.a ,  JS/Kak.worm.b , Kak , Kakworm  , VBS.Kak.Worm ,
VBS/Kak  , VBS_KAKWORM.A , VBS_KAKWORM.A-M ,Wscript.Kak  , Wscript.KakWorm
( data located at http://vil.nai.com/vil/dispVirus.asp?virus_k=10509 ) and
VBS/Kakworm-D ( at  http://vil.nai.com/vil/dispVirus.asp?virus_k=98855 ) ...

McAfee ( NAI ) offers different solutions since DAT 4051 ( now they have DAT
4100 ) regarding the Variants / Aliases detected and also inform about the
Microsoft Security Updates must be done for this question !

About the messages I have seen , McAfee offers SOME solotions for viruses ,
located on DIFFERENT parts of the network :

1)    Client Protection : VirusScan has , BootScan for PC boot-up / MBR ;
OnDemandScan to scan a file / folder / location over network at the time
demanded ; OnAccessScan to scan a file at the time user accessed ( read -
open - save - download - etc. ) ; InternetScan for ActiveX - Java ; E-mail
scan at the time an e-mail opened / readed and / or an attachement
accessed.... You can modify the settings of scan and actions as you want...

2) File Server Protection , NetShield has the same functions on the NT or NW
servers and some more with the admin control of network site....

3) E-MailServer / GroupWare Servers : GroupShield has a scan - detect on
PublicFolder of the server whic contains the all e-mails / attachements of
the network and also has a text filtering ( such as Subject line
filterring ) on the e-mails...

4) GateWay / Firewall : WebShield controls all data on SMTP , PROXY servers
and Firewall connections for viruses...

So , if you have only VirusScan , it means , yes you can detect nearly the
all viruses if you fixed the preferances properly and you DAT and ENGINE is
availeble for this solutions even they are from the network or internet...
( you must be updated / upgrated )

If you have GroupShield you have the same controls on the GroupWare server.

Sure you must fix the Microsoft Security Patches as well !!

A text of e-mail does not effect the system !!! Because it is a text only
( HOAX ) ... But the attached files !!

For some viruses it is not easy to clean up all system properly and some how
user controlled actions may be needed out of an AntiVirus SW... They are
mostly script or macro viruses...

So , be patient , cool and ready for all....

Best Regards...

-------

ABOUT KAK VIRUSES

Summary

Virus Name  Risk Assessment
JS/Kak.worm.a  Medium
--------
Virus Information

Discovery Date:  10/22/1999
Origin:  New Caledonia
Length:
Type:  Virus
SubType:  VBScript
Minimum Dat:  4051
Minimum Engine:  4.0.25
DAT Release Date:  11/10/1999
Description Added:  12/31/1999
-------
Virus Characteristics

This worm was first discovered by AVERT in October 1999 and added detection
for it within 4051 DAT updates. Virus Patrol, a newsgroup scanning program
from NAI, continues to identify occurrences of this Internet worm in
newsgroup postings which is an indication that worm is continuing to spread.
AVERT recommends adding ".HT?" to file extensions scanned for protection,
and also ensure users have installed the security patch from Microsoft
mentioned below.
Another dangerous aspect of this Internet worm is the ability to
continuously re-infect yourself if the preview pane is enabled and you
browse between folders specifically the "sent" folder which happens to
contain the Internet worm within a message. This is another strong reason to
update to the security patch, if not already.*

This is an Internet worm which uses JavaScript and an ActiveX control,
called "Scriptlet Typelib", to propagate itself through email using MS
Outlook Express. This worm consists of 3 components, an HTA file (HTML
Application), a REG file (Registration Entries Update) and a BAT file
(MS-DOS Batch).

When an e-mail or newsgroup message infected by this worm is opened by a
reader which supports Javascript in HTML, the script checks to see if MS
Internet Explorer 5 or higher is installed. If it is, using an ActiveX
exploit known as "Scriptlet TypeLib", the script writes the KAK.HTA file to
the Startup folder of the local machine. This will launch the code embedded
in the HTA file at the next Windows startup. Microsoft has published a
security update which addresses this ActiveX exploit and users are
encouraged to update their systems with this component. With this update
installed, users are questioned if they wish to run the ActiveX control
which "might be unsafe".

For more details on this vulnerability and to obtain a patch from Microsoft,
see this link:
Microsoft Security Bulletin

For current security bulletins from Microsoft, see this link:
Current Bulletins.

Email messages written in HTML format will be coded with the Internet worm
on infected systems due to the default signature modification on infected
systems. The email application Outlook is a target of this Internet worm for
propagation due to its support for HTML format messages. If an email message
is coded with the worm code and it is allowed to run, files are written to
the local machine in different locations-

c:\windows\kak.htm
c:\windows\system\(name).hta

kak.hta is written to either folder:
French Windows
c:\windows\Menu D&amp;amp;#233marrer\Programmes\D&amp;amp;#233marrage\

English Windows
c:\windows\Start Menu\Programs\StartUp\

In the above list, "(name)" is a seemingly random 8 character name (e.g.
98278AE0.HTA) however it is related directly to a registry entry.

This worm first copies the original AUTOEXEC.BAT file to AE.KAK. Then the
AUTOEXEC.BAT file is modified to overwrite the file KAK.HTA and then delete
it from the StartUp folder. The system registry is also modified when the
script executes a shell registry update using regedit and the REG file
written to the local system. The registry modification is this-

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
cAg0u = "C:\WINDOWS\SYSTEM\(name).hta"

The entry "(name)" is an 8 character name (e.g. 98278AE0.HTA).

The email spreading method is possible by a registry modification which adds
a signature to MS Outlook. The signature is set to include the file
"C:\WINDOWS\kak.htm" and is set as the default signature such that the worm
is spread on all outgoing email if the signature is included.

Finally this worm also has a payload which is date activated.

On the 1st of the month, and beginning from 6PM local time, a message is
displayed:

"Kagou-Anti-Kro$oft says not today!"

------

Symptoms

Recipients of messages which contain Wscript/Kak.worm may receive warning
messages such as:
"Do you want to allow software such as ActiveX controls and plug-ins to
run?"
Users should select "NO" to this question. Also another warning dialogue box
could be displayed:
"Scripts are usually safe. Do you want to allow scripts to run?"

Users should select "NO" also to this question. Further indications of
infection are the existence of files KAK.HTA and KAK.HTM as mentioned above,
registry modifications as mentioned above, added or modified default
signature as mentioned above.

On the 1st of the month, and beginning from 6PM local time, a message is
displayed:

"Kagou-Anti-Kro$oft says not today!"

Another possible message is a fake error message with this description:

"S3 driver memory alloc failed"

After this, Windows is instructed to shutdown.

-------

Method Of Infection

Opening email messages which are composed in HTML format and which contain
the script will install the Internet worm on supported systems as mentioned
above. The HTA file is written to the local machine as is the HTM file and
both are created at system startup, and with each composition of HTML format
email message.
Removal of this Internet worm consists of several steps:

* close email client(s)
* install the MS patch mentioned above
* remove KAK.HTA and/or KAK.HTM
* turn off "preview pane"(optional)
* delete the default email signature setting (Tools/Options/Signature)
* delete messages which are not needed which may contain the embedded script

Users may also benefit by removing Windows Scripting Host from their Windows
environment. To do this in Windows 9x, go to "Control Panel" and choose
"Add/Remove Programs". Click on the "Windows Setup" tab and double click on
"Accessories". Scroll down to "Windows Script Host" and uncheck it and
choose "OK". It may be necessary to reboot the system. For additional help
or support, visit Microsoft's Support Site.

Users may also want to disable "Active Scripting" in the "Restricted Sites"
zone and set E-Mail to run in the "Restricted Sites" zone. To do this:

-open Internet Explorer
-choose the Tools menu
-choose Internet Options
-click the Security tab
-click the Restricted Sites icon
-click "Custom Level"
-scroll down to "Active Scripting" and set it to Disable or Prompt
-Click OK
-open Outlook
-choose the Tools menu
-choose Options
-click the Security Tab
-In the "Security Zones" section, choose the "Restricted Sites" zone

------

Removal Instructions

Use specified engine and DAT files for detection and removal.
Removal of this Internet worm consists of several steps:

* close email client(s)
* install the MS patch mentioned above
* remove UPDATE.HTA and/or SIGN.HTML
* turn off 'preview pane' (optional)
* delete the default email signature setting (Tools/Options/Signature)
* delete messages which are not needed which may contain the embedded script

Users may also benefit by removing Windows Scripting Host from their Windows
environment. To do this in Windows 9x, go to 'Control Panel' and choose
'Add/Remove Programs'. Click on the 'Windows Setup' tab and double click on
'Accessories'. Scroll down to 'Windows Script Host' and uncheck it and
choose 'OK'. It may be necessary to reboot the system. For additional help
or support, visit Microsoft's Support Site.

Users may also want to disable 'Active Scripting' in the 'Restricted ...

read more »



Fri, 11 Apr 2003 03:00:00 GMT  
 
 [ 13 post ] 

 Relevant Pages 

1. Kak virus

2. how to delete kak virus?

3. Kak Virus

4. VIRUS VIRUS VIRUS

5. virus from ms-security website disabled Norton Antivirus

6. virus in security message purporting to be from MS

7. possible virus, is email from MS or not?

8. Report on CLOS BB by Kersten and Kak

9. vbs/kak worm help

10. just recieved a new virus W32/Bugbear@MM Virus Found

11. bugabear virus and sweetadeline1 w32KlezEremovaltools virus

12. Virus/Test Virus wanted!

 

 
Powered by phpBB® Forum Software