_________ SWAT MAGAZINE ISSUE THIRTY ONE JULY 2000 __________ / \___________________________________________/ \ / WScript.Kakworm Source Code \ / Presented by EXE-Gency \ ----------------------------------------------------------------------- +---- --- -- - - -- --- ----+ - - - - - | WScript.Kakworm Source Code | - - - - - - - - - - | Presented (not coded) by | - - - - - - - - - - | EXE-Gency | - - - - - - - - - - | (exegency@hotmail.com) | - - - - - +---- --- -- - - -- --- ----+ In SWAT magazine #30, XCESSwaste wrote a short article detailing computer viruses which can be embedded as Scripts (usually JavaScript or Visual Basic Script (VBS)) in HTML files. These HTML files can then be emailed to users or posted to newsgroups and open opening, will result in execution of the virus. An example of this kind of virus was detailed as 'The Bubble Boy Virus' in XCESSwaste's article but I was unable to find the source code to this virus in my collection. (Apparently the virus (or worm as it should technically be refered to) was written by Zulu (www.coderz.net/zulu) who has written a number of interesting non-ASM viruses.) Although I was unable to find 'Bubble Boy' in my collection, I was able to find the Kakworm which works in an extremely similar way to the Bubble Boy worm. I was going to write a short introduction about the worm, detailing how it works and what it does but then I figured I could simply copy and paste the specifications from various Anti-Virus websites. PLEASE NOTE: I did not write this viruses and I have no idea who did. I hope the original author does not mind having his source code republished as there have been a number of posts to pro-virus newsgroups (such as alt.comp.virus.source.code) with requests for the source code. Once again you should goto the microsoft website: http://www.microsoft.com/Security/Bulletins/ms99-032.asp and download the patch which will prevent infection from Kakworm, Bubble Boy and similar viruses/worms. -----[Sophos description]---------------------------------------------------- -----[ http://www.sophos.com/virusinfo/analyses/vbskakworm.html ]------------ Name: VBS/Kakworm Aliases: Wscript.Kak.A Type: Visual Basic Script worm Detection: Detected by Sophos Anti-Virus. Comments: VBS/Kakworm is a worm that exploits security vulnerabilities in Microsoft Internet Explorer and Microsoft Outlook in a way similar to VBS/BubbleBoy-A Microsoft have released a patch to deal with this security problem which we strongly recommend users install. For further information and to download the patch please view Microsoft Security Bulletin (MS99-032) ;. Users of non-Microsoft browsers or mailers are not affected. The worm arrives embedded in an email message as the message HTML signature. The recipient of the message cannot see any visible symptoms as there is no displayable text in the signature. If the user opens or previews the infected email message the worm drops file KAK.HTA into the Windows start-up folder. KAK.HTA runs the next time Windows is started, creates the C:\WINDOWS\KAK.HTM file and changes the Microsoft Outlook Express registry settings so that the KAK.HTM is automatically included in every outgoing message as a signature. The KAK.HTA also changes the Windows registry that it includes the name of the worm file. On the 1st of any month after 5 p.m. the worm displays the message "Kagou-Anti-Kro$oft says not today" and runs Windows shutdown. +-----------------------------------------+ | Memory Driver Error | |-----------------------------------------| | [ ! ] Kagou-Anti-Kro$oft says not today | | | | [OK] | +-----------------------------------------+ -----[Symantec description]-------------------------------------------------- -----[http://www.symantec.com/avcenter/venc/data/wscript.kakworm.html]------- Wscript.KakWorm VBS.KakWorm spreads using Microsoft Outlook Express. It attaches itself to all outgoing messages via the Signature feature of Outlook Express and Internet Explorer newsgroup reader. The worm utilizes a known Microsoft Outlook Express security hole so that a viral file is created on the system without having to run any attachment. Simply reading the received email message will cause the virus to be placed on the system. Microsoft has patched this security hole. The patch is available from Microsoft's website ;. If you have a patched version of Outlook Express, this worm will not work automatically. Also known as: VBS.Kak.Worm, Kagou-Anti-Krosoft Category: WORM Infection length: 4116 Bytes Virus definitions: December 30, 1999 Threat assessment: Damage - MEDIUM Distribution - HIGH Wild - HIGH Wild Number of infections: More than 1000 Number of sites: 3-10 Geographical Distribution: High Threat containment: Medium Removal: Medium Damage Payload: Modifies the registry keys and shuts down Windows Payload trigger: First of any month at 5pm Degrades performance: Shuts Down Windows Distribution Size of Attachment: 4116 bytes Target of infection: Microsoft Outlook Express, Internet Explorer Usenet Newsreader Technical description The worm appends itself to the end of legitimate outgoing messages as a signature. When receiving the message, the worm will automatically insert a copy of itself into the appropriate StartUp directory of the Windows operating system for both English and French language versions. The file created is named KAK.HTA. The worm utilizes a known Microsoft Outlook Express security hole, Scriptlet.Typelib, so that a viral file is created on the system without having to run any attachment. Simply reading the received email message will cause the virus to be placed on the system. Microsoft has patched this security hole. The patch is available from Microsoft's website ;. If you have a patched version of Outlook Express, this worm will not work automatically. HTA files are executed by current versions of Microsoft Internet Explorer or Netscape Navigator. The system must be rebooted for this file to be executed. Once executed, the worm modifies the registry key: HKCU/Identities//Software/Microsoft/Outlook/Express/5.0/signatures in order to add its own signature file, which is the infected KAK.HTA file. This causes all outgoing mail to be appended by the worm. In addition, the registry key: HKLM/Software/Microsoft/Windows/CurrentVersion/Run/cAgOu is added which causes the worm to be executed each time the computer is restarted. Finally, if it is the first of the month and the hour is 17 (5:00pm), the following message is displayed: +-----------------------------------------+ | Memory Driver Error | |-----------------------------------------| | [ ! ] Kagou-Anti-Kro$oft says not today | | | | [OK] | +-----------------------------------------+ and Windows is sent the message to shutdown. Removal: Delete the following file: KAK.HTA Delete the following registry key: HKLM/Software/Microsoft/Windows/CurrentVersion/Run/cAgOu -----------------------------------------------------------------------------
Subj:
Date: Tue, 27 Jun 2000 11:47:28 AM Eastern Daylight Time
From: "Senders Name"
To: 



You are invited to place your personal ad and photos absolutely free of

charge, forever, on the Internet's newest all Christian singles' 
website,

ChristianDate.com!  To do so, simply click the hyperlink below.

ChristianDate is so very easy to use, we believe that you will fall in 
love

at first sight.  Try it out!  You have nothing to lose and everything to

experience!



http://www.christiandate.com



God bless,

ChristianDate.com
You are invited to place your personal ad and photos absolutely free of charge, forever, on the Internet's newest all Christian singles' website, ChristianDate.com! To do so, simply click the hyperlink below. ChristianDate is so very easy to use, we believe that you will fall in love at first sight. Try it out! You have nothing to lose and everything to experience!
God bless,
ChristianDate.com