McAfee AVERT - A Division of NAI
McAfee AVERT - A Division of NAI
JS/Kak@M
Overview
The JS/Kak@M virus has been a common infector for many months.
Most anti-virus products are able to detect and remove this virus.
Technical support departments still receive many calls from users who are
having problems with this unwelcome visitor.
General Description
of the virus
Avert
received a copy of the virus on October 22, 1999. It originated from New
Caledonia. The virus contains the character set, ‘Cag0u’, and displays the
message ‘Kagou-Anti-Kro$oft says not today!”
Kagu \Ka"gu\,
n. (Zo["o]l.) A singular, crested, grallatorial bird (Rhinochetos jubatus),
native of New Caledonia. It is gray above, paler beneath, and the feathers of
the wings and tail are handsomely barred with brown, black, and gray. It is
allied to the sun bittern.
Source: Webster's Revised Unabridged Dictionary, © 1996, 1998 MICRA, Inc.
JS/Kak@M is a virus that spreads via email. This type of
virus is also referred to as a ‘worm’.
The virus code is a simple script, which can be found encapsulated inside
HTML formatted messages. If you receive an infected message (in HTML format)
and your system has no virus protection in place, one of two events will take
place.
1) If you have Internet Explorer 5 with Windows Scripting
Host installed and your mail system is Outlook Express 5, the virus will install
itself on your machine and all your outgoing HTML messages will contain a copy
of the virus.
2) If you do not have the Windows Scripting
Host installed or your mail system is not Outlook Express 5, then your outgoing
messages will remain clean. However, if you reply, forward, or redirect an
infected message in HTML format and include the original message, you will pass
the virus along to other recipients.
JS/Kak@M doesn’t use
an attachment to spread since it is encapsulated inside mail messages. For this
reason messages may seem completely innocent. Under Outlook Express 5, having
the Preview Pane enabled allows the virus to infect without even
"opening" an infected message, simply highlighting the message subject
is enough for the virus to infect your machine.
Despite the high level of security options in the
configuration of the Internet Explorer 5, the virus uses a security hole, which
allows it to execute itself silently. Microsoft
calls this flaw “script.typelib/Eyedog”
Vulnerability (MS99-032) and
offers a patch to stop it.
Details about the security hole:
http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
Download of US and localized versions:
http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm
From the first activation (preview pane or opening
of an email) the virus first creates a 4,116 byte file:
(English Windows)
"C:\WINDOWS\Start Menu\Programs\Startup\kak.hta"
(French Windows)
"C:\WINDOWS\Menu Démarrer\Programmes\Démarrage\kak.hta"
This file allows the automatic execution of the file upon reboot. On this
reboot, and execution of KAK.HTA, the virus creates a hidden file
"C:\WINDOWS\kak.htm" (3,939 bytes) which contains the full viral code
and which will be re-integrated into outgoing email messages. The registry is
modified so the file becomes the default Outlook Express signature.
HKEY_CURRENT_USER\Identities\{...}\Software\Microsoft\Outlook
Express\5.0\signatures\
Default Signatures "00000000"
HKEY_USERS\DEFAULT\Identities\{...}\Software\Microsoft\Outlook
Express\5.0\signatures\
Default Signatures "00000000"
The registry keys have the following values:
(Name)
(Data)
file
"C:\WINDOWS\kak.htm"
name
"Signature #1"
text
type
0x00000002 (2)
This modification can easily be seen under Outlook Express via the ‘Tools/Options…’
menu, under ‘Signatures’.
Through ‘Signature #1’ you will note that the file
"C:\WINDOWS\kak.htm" is
chosen as the default signature for most of your outgoing messages.
The 4,116 byte file, KAK.HTA, is again copied to
"C:\WINDOWS\SYSTEM” with the name “ID number.hta” (ie. “7EDAEA80.hta”).
The number used represents the first eight digits of your
‘Default User ID’ found in the registry entry under the key:
"HKEY_CURRENT_USER\Identities".
In more detail, this key is described as follow:
(Name)
(Data)
Default User ID
"(7EDAEA80-CEEC-912A-A15DFDA59179)"
Last User ID
"(7EDAEA80-CEEC-912A-A15DFDA59179)"
Last Username "Main
Identity"
The registry entry is also modified to allow the automatic execution of the “ID
number.hta” file:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
cAgOu
C:\WINDOWS\SYSTEM\IDNxxxxx.hta
Here is an example of a typical “Run” key:
(Name)
(Data)
cAgOu
"C:\WINDOWS\SYSTEM\7EDAEA80.hta"
IrMon
"IrMon.exe"
LoadPowerProfile "RunDLL32.exe
powprof.dll,LoadCurrentPwrScheme"
ScanRegistry
"C:\WINDOWS\Scanregw.exe /autorun"
System
tray
"SysTray.exe"
TaskMonitor
"C:\WINDOWS\taskmon.exe"
The character “0” of “cag0u” is the digit “0”.
“IDNxxxxx” represents the number as previously described.
This registry
change will allow a new activation of the virus in case a partial clean up was
attempted.
JS/Kak@M also modifies the AUTOEXEC.BAT file by adding the
lines:
(English)
del
c:\windows\STARTM~1\Programs\Startup\kak.hta
(French)
@echo off>C:\Windows\MENUD(~1\PROGRA~1\D(MARR~1\kak.hta
del C:\Windows\MENUD(~1\PROGRA~1\D(MARR~1\kak.hta
This modification removes of all traces of the initial
infection. The original AUTOEXEC.BAT file is backed up to C:\AE.KAK prior
to the modification.
More info:
JS/Kak@M displays a window dialog box, "Driver Memory Error",
every first of the month at 6 pm.
Clicking <OK>
halts the machine
Removal
JS/Kak@M has been detected and removed by most anti-virus products for many
months.
Network Associates requires an engine version of 4.0.50 or
newer to handle this virus. If you are using an Engine
older than 4.0.70, an upgrade is strongly recommend as an old engine may not
identify and remove certain viruses (even with a current set of DAT files). So,
as well as DAT files, engines need to be updated to include regular changes and
improvements made to the scanner.
Configuration parameters also need to
be checked: HT type extensions (not HTM but HT?) must be scanned by default.
Below are step-by-step
instructions for the manual removal of JS/Kak@M
1)
Start the machine in ‘step-by-step” mode
Turn the PC on,
On display of the message “Windows Start-up”, press
the F8 key,
A menu comes up, select “Step-by-step confirmation”.
2)
You are then asked to confirm each command line of your start up files
before execution. Below is a what happens with Windows 98:
-
Treat the registry system [Entry=Y, Esc=N]? Y (answer YES)
-
Create a start-up file [Entry=Y, Esc=N]? Y
-
Process the device drivers (Config.SYS)
Entry=Y, Esc=N] ? Y
-
Carry on by answering YES to each CONFIG.SYS line.
-
Process your STARTUP COMMAND file (AUTOEXEC.BAT)
[Entry=Y, Esc=N] ? Y
-
Proceed by answering YES up until the line:
@echo off>c:\windows\STARTM~1\Programs\Startup\kak.hta
[Entry=Y, Esc=N] ? N
-
Answer NO to this line and to the following one:
del c:\windows\STARTM~1\Programs\Startup\kak.hta
[Entry=Y, Esc=N] ? N
-
Next, Windows is loading up. Answer YES to the line:
WIN [Entry=Y, Esc=N] ? Y
-
Load all Windows drivers [Entry=Y, Esc=N] ? Y
Proceed by answering YES until
Windows has been fully loaded. If the two “…kak.hta” lines above do
not appear, continue with the directions. The virus may only be at its
installation phase but your machine can still contain the virus.
3) Under Windows, load Windows Explorer and, if found,
remove:
-
C:\ae.kak
- C:\windows\kak.htm
- C:\windows\Start Menu\programs\StartUp\kak.hta
- C:\windows\system\IDNxxxxx.hta
"IDNxxxxx"
represents the chain of characters described in the previous paragraph. Note
this value carefully.
4) Edit your AUTOEXEC.BAT file
- Click “Start / Run…”
- Type “sysedit.exe”
in the run dialogue box.
- Choose
<OK>.
Select and remove the following lines:
(English)
@echo off>c:\windows\STARTM~1\Programs\Startup\kak.hta
del
c:\windows\STARTM~1\Programs\Startup\kak.hta
(French)
@echo
off>C:\Windows\MENUD(~1\PROGRA~1\D(MARR~1\kak.hta
del
C:\Windows\MENUD(~1\PROGRA~1\D(MARR~1\kak.hta
Save your changes and exit the program.
5) Load the Registry Editor
- Click “Start
/ Run…”
- Type “regedit.exe”
in the run dialogue box.
- Choose
<OK>.
In the registry tree "HKEY_LOCAL_MACHINE",
access the following key from the left window:
"\Software\Microsoft\Windows\CurrentVersion\"
(use the icons '+' and '-').
Then:
- Click on
"Run"
- When this
key is reached, select the name “cag0u” with the mouse, in the left window (the field "Data" contains the value
"C:\WINDOWS\SYSTEM\IDNxxxxx.hta")
The entry name "IDNxxxxx" must be identical to the one you wrote down
earlier.
- With a right click on the mouse on cAg0u, select ‘Delete’ and
confirm your choice.
6) Still in the Registry Editor, access the registry tree
"HKEY_CURRENT_USER\Identities\"
- through the
alphanumerical entry name described previously (i.e.
{7EDAEA80-CEEC-912A-A15DFDA59179}) reach the level
"\Software\Microsoft\Outlook Express\5.0\signatures"
- select the
key "00000000" with a right mouse, select ‘Delete’ and confirm
your choice.
- In the
right window, click on the "Default Signature" (the field
"Data" contains the value "00000000".
- With a
right click on the mouse, select ‘Delete’ and confirm your choice.
- Go back up
in the folder "\Software\Microsoft\Outlook Express\5.0"
- In the
right window, click on "Signature Flags" (the field "Data"
contains the value "0x00000003 (3)".
- With a
right click on the mouse, select ‘Delete’ and confirm your choice.
- Leave the
Registry Editor (via "Registry/Exit").
7) Turn off the machine and then back on. The virus has
been removed.
Comments on the
registry
The registry is an essential element of your PC. The slightest corruption can be
a disaster and can cause irreversible data loss from your disk.
If you are not an expert, it is recommend that you do a backup before
making any modifications.
This backup can be done by copying the files
"C:\WINDOWS\System.dat" and "C:\WINDOWS\User.dat" in a newly
created folder.
Complementary protection
An anti-virus program may not alert as soon as you receive an infected
email. The alert may come too late as the file “kak.hta” is being created,
or your scanner may not be configured appropriately (with inclusion of the “HT?”
extensions when scanning).
To make anti-virus protection more effective you must also
protect the gateway, which is rarely an option for end users. The best
option for an end user is to use the Microsoft patch: http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm
The application of security level, ‘High’, in Internet Explorer isn’t
necessarily enough to protect you. It is advised to create a ‘Personalised’
level via the ‘medium’ security level (for expert users).
This can be done via “Tools/Options/Internet…/Security/Personalize Level…”).
(English Windows)
- ActiveX controls and plugins
- Download signed ActiveX controls
==> Prompt
- Download unsigned ActiveX controls
==> Prompt
- Initialize and script ActiveX
controls not marked as safe ==> Disable
- Run ActiveX controls and plugins
==> Prompt
- Script ActiveX controls marked safe
for scripting ==> Prompt
- Scripting
- Active scripting ==> Prompt
(French Windows)
- Controls ActiveX and plugins
- Known safe Controls ActiveX for
writing ==> Prompt
- Initialization and
unmarked ActiveX Controls ==> Disable
- Execute ActiveX controls and
plugins ==> Prompt
- Download unsigned ActiveX ==>
Prompt
- Download signed ActiveX ==>
Prompt
- Script
- Active scripting ==> Prompt.
If such a virus is present after these parameters have been applied, various
dialogue boxes will appear on reading, or on previewing, mail under Outlook or
Outloook Express. NO should be selected when prompted. In addition, messages
which initiate this prompt should be handled with care when forwarding,
replying, or redirecting them. They
should be sent using the PLAIN TEXT format. If you don’t you will pass on the
virus (without infecting your local machine).
The
above parameters will triggers two successive messages. First:
Internet Explorer
Do you want to allow software such as ActiveX controls and plug-ins to
run?
You must answer “NO” to this question.
This
choice prompts the second message:
Microsoft
Internet Explorer
An ActiveX control is not safe
Your current security settings prohibit running unsafe controls on this
page.
As a
result, this page may not be displayed as intended.
The installation of the Microsoft patch will take you directly to the second
message. The eventual error of saying “YES” to the initial question can then
be avoided.
Sending
and receiving of HTML format messages are a real danger. Neither Outlook nor
Outlook Express can be configured to convert automatically to text format. You
can however send mail in the format of your choice.
In Outlook In the sub-menu "Tool/Options...”, you
should be able to chose the "Mail Format".
You can then eliminate HTML by choosing "Microsoft Outlook Rich
Text" or "Plain Text".
Under Outlook the preview options can be monitored via the “View” menu and
the choice “Current View” and “Preview Pane”.
In Outlook Express in the sub-menu "Tool/Options...”, you should be able to chose the "Send". You can then eliminate HTML by choosing "Plain Text".
With Oulook Express the “View\Current View\.” options will give you the choice to activate or disable the preview.