Email-Worm.VBS.KakWorm

Class Email-Worm
Platform VBS
Description

Technical Details

This worm is written in the Java Script language, which, for spreading, uses MS Outlook Express. The worm does not attach itself to messages as regular worm viruses do, but embeds its body in a message as a script program.

The worm works on English and French Windows versions only. It also
does not work in the case that Windows is installed in a directory other than
“C:WINDOWS”.

The worm is fully compatible with MS Outlook Express only. In MS Outlook,
the worm is activated and infects the system, but it is not able to spread
itself further, because it targets MS Outlook Express only to spread its
copies. On other e-mail systems, the worm’s functionality depends on that
system’s features.

While infecting the system, the worm creates three additional files with its
copy. First, two of them are used to infect the system and the last one is used
to spread the worm’s code via infected e-mail:

1. KAK.HTA in Windows startup folder
2. random named .HTA file in Windows system folder
3. KAK.HTM file in Windows folder

The worm has a payload routine. On 1st of any month after 5:00 pm, it
displays the following message:

Kagou-Anti-Kro$oft says not today !

forcing Windows to exit after that.

Spreading

The worm arrives on a computer as an e-mail message in HTML format. The message
body contains a script (Java script program) that is the worm body itself. That
program does not appear on the screen, because, in HTML documents, script
programs are never displayed. As a result, upon opening an infected message
(or upon previewing), only the message body is displayed and no worm code is
visible, but the script is automatically executed by the mailer, and the worm
receives control.

The worm infects the system and spreads in three steps.

1. The worm creates its copy as a disk file in a Windows startup (auto-start)
folder.

2. When the worm is run from the Windows startup folder, it moves itself to the
Windows system directory, registers that new copy in the system registry in the
auto-start section and removes the first copy from the Windows startup folder.

3. The worm accesses the MS Outlook Express registry section and registers the worm copy as a default signature there. Outlook Express then will
automatically send the worm’s code via all messages that are sent.

The worm needs these steps, because in the first phase, it is able to access disk
files only, not the system registry, so it needs to be run from a disk file
(from “Local Intranet zone”) to modify the registry keys. The worm then deletes
its copy from the Windows startup folder to hide itself, and all programs in there
are visible in the StartProgramsStartup Menu.

Spreading: step 1 – being run from an infected message

Upon activation from an infected message, the worm gains access to a computer’s
local disk. To avoid security protection (local disk access prohibited by
default), the worm uses a security breach named “TypeLib Security Vulnerability.” The worm creates an ActiveX object marked as safe for scripting and has the
ability to write files to the disk. By using that ActiveX object, the worm obtains
written access to the disk.

The worm then creates the KAK.HTA file and places its own code to there.
That file is placed in the Windows startup directory, and as a result, it will
be executed upon next Windows startup.

Comment:

A HTA file is a HTML Application – the file type that appears after installing
Internet Explorer 5.0. HTA files contain regular HTML text with scripts
inside, but upon being executed, it runs as a standalone application – without
the Internet Explorer shell. It provides the possibility of writing powerful
applications using regular scripts inside HTML.

While creating the KAK.HTA file, the worm does not determine a real path to the
Windows directory and always supposes that Windows is installed in the
“C:WINDOWS” folder. Therefore, the worm is unable to spread on a system where
Windows has been installed in a different directory other than “C:WINDOWS”. The worm tries
two variations of the Windows startup folder to which to place its copy:

MENUD�~1PROGRA~1D�MARR~1 (default name in French Windows version)
STARTM~1ProgramsStartUp (default name in English Windows version)

In the case that the Windows startup directory has another name (in another Windows
localization), the worm is unable to write its file there and so is not
able to spread further.

Spreading: step 2 – being run from KAK.HTA

Upon the following Windows restart, the “KAK.HTA” file is activated from the Windows
startup directory. The script program inside that file creates the same HTA
file in the Windows system directory. That file has a system-dependent name (like
“9A4ADF27.HTA”). The worm then modifies the system registry to execute that
file upon each Windows startup. In case a user changes the default Outlook Express
signature, the script in this file will restore the worm’s components and
registry settings; i.e., it will re-infect the system.

The “KAK.HTA” script then creates the “KAK.HTM” file that contains only the worm’s
code inside (that HTML page doesn’t have any text to display other than just the pure worm
script). This file is used later to infect messages.

Finally, the script appends to the “C:AUTOEXEC.BAT” file commands that
delete “KAK.HTA” from the startup directory, because it does not need them anymore.

Spreading: step 3 – sending infected messages

The same script (“KAK.HTA”) then modifies the system registry. It creates a new
Outlook Express signature that refers to the “KAK.HTM” file and sets this
signature as the default signature in Outlook Express. Starting from that
moment, each time Outlook Express composes a message, it will insert the infected signature into
the message (the content of the “KAK.HTM” file).

The worm is able to spread only the via HTML-messages(and these are the MS Outlook
Express) default settings. The RTF and “Plain text” messages are not
infected and cannot be infected.

Protecting

The problem is that regular anti-virus scanning using on-demand scanners
does not provide protection against this kind of worms. Each time an infected
message is opened in Outlook, the worm will appear again. Moreover, if
Outlook Express configures to show a preview pane, it is enough just to select
the infected message from the list for the worm to be activated.

1. In order to protect yourself, it is possible to use on-access scanners to catch the
worm at the moment it writes itself on the disk. But on-access scanners are
unable to prevent the worm’s activation, because scripts in e-mail HTML messages
are executed directly in the system memory, not being stored and run from a
disk file.

The best course of action is to use anti-virus utilities that check script programs just
before they are executed (see “AVP Script Checker”). Such programs may
prevent the worm’s activation and system infection.

2. To write its own file to the disk, the worm uses an Internet Explorer 5.0
security breach. Microsoft has released an update that eliminates security
“Scriptlet.Typelib” vulnerability. We strongly recommend you visit
http://support.microsoft.com/support/kb/articles/Q240/3/08.ASP
and install this update.

3. If you do not plan on using any HTML applications (HTA-files) at work, there is another way to prevent infection by viruses of this type
(the worms and viruses that use HTA files to spread). It is necessary to remove
the file association for the .HTA extension. To do this, you have to follow several
steps:

1. Double click the “My Computer” icon on your desktop.
2. From the the window that appears, choose menu “View” -> “Options…”.
3. In the “File Types” tab in the “Registered file types” listbox, select the
“HTML Application” item.
4. Click the “Remove” button and confirm the action.
5. Close the options dialog box.