Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:
  • file viruses
  • boot sector viruses
  • macro viruses
  • script viruses
Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: Email-Worm

Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website). In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated. Email-Worms use a range of methods to send infected emails. The most common are: using a direct connection to a SMTP server using the email directory built into the worm’s code using MS Outlook services using Windows MAPI functions. Email-Worms use a number of different sources to find email addresses to which infected emails will be sent: the address book in MS Outlook a WAB address database .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses emails in the inbox (some Email-Worms even “reply” to emails found in the inbox) Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.

Read more

Platform: VBS

Visual Basic Scripting Edition (VBScript) is a scripting language interpreted by Windows Script Host. VBScript is widely used to create scripts on Microsoft Windows operating systems.


Technical Details

This worm is written in the Java Script language, which, for spreading, uses MS Outlook Express. The worm does not attach itself to messages as regular worm viruses do, but embeds its body in a message as a script program.

The worm works on English and French Windows versions only. It also does not work in the case that Windows is installed in a directory other than "C:WINDOWS".

The worm is fully compatible with MS Outlook Express only. In MS Outlook, the worm is activated and infects the system, but it is not able to spread itself further, because it targets MS Outlook Express only to spread its copies. On other e-mail systems, the worm's functionality depends on that system's features.

While infecting the system, the worm creates three additional files with its copy. First, two of them are used to infect the system and the last one is used to spread the worm's code via infected e-mail:

1. KAK.HTA in Windows startup folder
2. random named .HTA file in Windows system folder
3. KAK.HTM file in Windows folder

The worm has a payload routine. On 1st of any month after 5:00 pm, it displays the following message:

Kagou-Anti-Kro$oft says not today !

forcing Windows to exit after that.


The worm arrives on a computer as an e-mail message in HTML format. The message body contains a script (Java script program) that is the worm body itself. That program does not appear on the screen, because, in HTML documents, script programs are never displayed. As a result, upon opening an infected message (or upon previewing), only the message body is displayed and no worm code is visible, but the script is automatically executed by the mailer, and the worm receives control.

The worm infects the system and spreads in three steps.

1. The worm creates its copy as a disk file in a Windows startup (auto-start) folder.

2. When the worm is run from the Windows startup folder, it moves itself to the Windows system directory, registers that new copy in the system registry in the auto-start section and removes the first copy from the Windows startup folder.

3. The worm accesses the MS Outlook Express registry section and registers the worm copy as a default signature there. Outlook Express then will automatically send the worm's code via all messages that are sent.

The worm needs these steps, because in the first phase, it is able to access disk files only, not the system registry, so it needs to be run from a disk file (from "Local Intranet zone") to modify the registry keys. The worm then deletes its copy from the Windows startup folder to hide itself, and all programs in there are visible in the StartProgramsStartup Menu.

Spreading: step 1 - being run from an infected message

Upon activation from an infected message, the worm gains access to a computer's local disk. To avoid security protection (local disk access prohibited by default), the worm uses a security breach named "TypeLib Security Vulnerability." The worm creates an ActiveX object marked as safe for scripting and has the ability to write files to the disk. By using that ActiveX object, the worm obtains written access to the disk.

The worm then creates the KAK.HTA file and places its own code to there. That file is placed in the Windows startup directory, and as a result, it will be executed upon next Windows startup.


A HTA file is a HTML Application - the file type that appears after installing
Internet Explorer 5.0. HTA files contain regular HTML text with scripts
inside, but upon being executed, it runs as a standalone application - without
the Internet Explorer shell. It provides the possibility of writing powerful
applications using regular scripts inside HTML.

While creating the KAK.HTA file, the worm does not determine a real path to the Windows directory and always supposes that Windows is installed in the "C:WINDOWS" folder. Therefore, the worm is unable to spread on a system where Windows has been installed in a different directory other than "C:WINDOWS". The worm tries two variations of the Windows startup folder to which to place its copy:

MENUD�~1PROGRA~1D�MARR~1 (default name in French Windows version)
STARTM~1ProgramsStartUp (default name in English Windows version)

In the case that the Windows startup directory has another name (in another Windows localization), the worm is unable to write its file there and so is not able to spread further.

Spreading: step 2 - being run from KAK.HTA

Upon the following Windows restart, the "KAK.HTA" file is activated from the Windows startup directory. The script program inside that file creates the same HTA file in the Windows system directory. That file has a system-dependent name (like "9A4ADF27.HTA"). The worm then modifies the system registry to execute that file upon each Windows startup. In case a user changes the default Outlook Express signature, the script in this file will restore the worm's components and registry settings; i.e., it will re-infect the system.

The "KAK.HTA" script then creates the "KAK.HTM" file that contains only the worm's code inside (that HTML page doesn't have any text to display other than just the pure worm script). This file is used later to infect messages.

Finally, the script appends to the "C:AUTOEXEC.BAT" file commands that delete "KAK.HTA" from the startup directory, because it does not need them anymore.

Spreading: step 3 - sending infected messages

The same script ("KAK.HTA") then modifies the system registry. It creates a new Outlook Express signature that refers to the "KAK.HTM" file and sets this signature as the default signature in Outlook Express. Starting from that moment, each time Outlook Express composes a message, it will insert the infected signature into the message (the content of the "KAK.HTM" file).

The worm is able to spread only the via HTML-messages(and these are the MS Outlook Express) default settings. The RTF and "Plain text" messages are not infected and cannot be infected.


The problem is that regular anti-virus scanning using on-demand scanners does not provide protection against this kind of worms. Each time an infected message is opened in Outlook, the worm will appear again. Moreover, if Outlook Express configures to show a preview pane, it is enough just to select the infected message from the list for the worm to be activated.

1. In order to protect yourself, it is possible to use on-access scanners to catch the worm at the moment it writes itself on the disk. But on-access scanners are unable to prevent the worm's activation, because scripts in e-mail HTML messages are executed directly in the system memory, not being stored and run from a disk file.

The best course of action is to use anti-virus utilities that check script programs just before they are executed (see "AVP Script Checker"). Such programs may prevent the worm's activation and system infection.

2. To write its own file to the disk, the worm uses an Internet Explorer 5.0 security breach. Microsoft has released an update that eliminates security "Scriptlet.Typelib" vulnerability. We strongly recommend you visit and install this update.

3. If you do not plan on using any HTML applications (HTA-files) at work, there is another way to prevent infection by viruses of this type (the worms and viruses that use HTA files to spread). It is necessary to remove the file association for the .HTA extension. To do this, you have to follow several steps:

1. Double click the "My Computer" icon on your desktop.
2. From the the window that appears, choose menu "View" -> "Options...".
3. In the "File Types" tab in the "Registered file types" listbox, select the "HTML Application" item.
4. Click the "Remove" button and confirm the action.
5. Close the options dialog box.

Read more

Find out the statistics of the vulnerabilities spreading in your region on

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.