VBS/Kakworm

For further information please refer to:

• How to remove VBS/Kakworm
• Focus on VBS/Kakworm: are you protected?

VBS/Kakworm is a worm that exploits security vulnerabilities in Microsoft Internet Explorer and Microsoft Outlook in a way similar to VBS/BubbleBoy-A.

Microsoft have released a patch to deal with this security problem which we strongly recommend users install. For further information and to download the patch please view Microsoft Security Bulletin (MS99-032).

The worm will run if the user has Internet Explorer, Outlook or Outlook Express, but it will only spread to other users if Outlook Express is used to send email.

Even if you receive an infected message, you cannot be affected unless you have an Internet Explorer based product installed.

The worm arrives embedded in an email message as the message HTML signature. The recipient of the message cannot see any visible symptoms as there is no displayable text in the signature.

If the user opens or previews the infected email message the worm drops file KAK.HTA into the Windows start-up folder. KAK.HTA runs the next time Windows is started, creates the C:\WINDOWS\KAK.HTM file and changes the Microsoft Outlook Express registry settings so that the KAK.HTM is automatically included in every outgoing message as a signature. The KAK.HTA also changes the Windows registry that it includes the name of the worm file.

On the 1st of any month after 5 p.m. the worm displays the message "Kagou-Anti-Kro$oft says not today" and runs Windows shutdown.

Note: If full scanning is used to detect the worm in email, Sophos Anti-Virus will report it as Mid/Kakworm. This is due to the infection technique used by the worm.