~~~~~~~Forum Diskusi Software dan Internet untuk Kristen-Katolik~~~~~~~
----------------------------
Yudi Wijaya
E-Mail: [EMAIL PROTECTED]
----------------------------
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Branch
> Development
> Sent: 02 Juni 2000 8:03
> To: e-Software
> Subject: [i-kan-software] VIRUS?
>
>
> ~~~~~~~Forum Diskusi Software dan Internet untuk Kristen-Katolik~~~~~~~
>
>
> Hai, aku minta tolong dong. Tiap kali abis nyalain komputer, selalu
> keluar:
> Driver Memory Error
> Kagou-Anti-Kro$off Says Not Today
> Ok
>
> Kalo aku click OK, Beberapa detik kemudian dia shut down sendiri. Begitu
> seterusnya. Kenapa ya? Itu virus KAK.HTA bukan? Soalnya waktu dicari
> file HTA, ada di c:\windows\system\B2C57100.HTA. Gimana cara
> hilanginnya? soalnya kagak bisa hilang udah dicoba. Apa musti install
> ulang? Padahal kemarin itu seharian baru install ulang. Terus, apa D:
> kena juga? HD-ku dibagi 2 partisi C: dan D:
> Oh ya, itu baru kemarin kejadiannya.
> Thanks ya buat bantuannya. Perlu banget nih.
+ Hiii... mengerikan, saya coba lihat di Norton AV (virus library) eh
ternyata ada saya jadi tertarik dan search di Internet, inilah hasilnya:
Menurut saya ini virus aktif setiap tanggal 1 dari tiap bulan jam 5 sore.
Jadi sekarang anda silakan membersihkan cacing / worm tersebut lewat
registry dan file yang berkaitan
F-Secure Virus Information Pages
NAME: Kak
ALIAS: Wscript.KakWorm, KakWorm
Kak is a worm that embeds itself to every email sent from the infected
system, without any attachment, like BubbleBoy does. For further information
about BubbleBoy, see the description:
http://www.F-Secure.com/v-descs/bubb-boy.htm
Kak is written in JavaScript and it works on both English and French
versions of Windows 95/98 if Outlook Express 5.0 is installed. It does not
work in a typical Windows NT installation.
The worm uses a known security vulnerability that affects Outlook Express.
Once the user receives an infected email message, and opens or views the
message in the preview pane, the worm creates a file "kak.hta" to the
Windows Startup directory.
Next time when the system is restarted, the worm activates. It replaces
"c:\autoexec.bat" with a batch file that deletes the worm from the Startup
directory. The original "autoexec.bat" is copied to "C:\AE.KAK".
It also modifies the message signature settings of Outlook Express 5.0
replacing the current signature with an infected file, "C:\Windows\kak.htm".
Therefore every message sent with Outlook Express after that will contain
the worm.
Next it modifies the Windows registry in a such way that it will be executed
in every system startup. The key it adds to the registry is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cAg0u
The .hta file that the virus creates and will be executed is saved to
Windows System directory. In first day of each month if the number of hours
is more than 17 (i.e. 6pm or later), the worm will show an alert box with
the following text:
Kagou-Anit-Kro$oft say not today!
Then the worm causes the Windows to shut down.
F-Secure Anti-Virus detects the worm. When the worm has been detected, the
user should delete the following files, if they exist:
C:\Windows\kak.htm
C:\Windows\System\(filename).hta
where (filename) is a variable, and it changes from one system to
another
C:\Windows\Start Menu\Programs\Startup\kak.hta
C:\Windows\Menu Demarrer\Programmes\Demarrage\kak.hta
The "autoexec.bat" can be restored by copying the "C:\AE.KAK" to
"C:\autoexec.bat".
Kak uses a known security hole in Microsoft Outlook Express to create the
local HTA file.
If active scripting is disabled from Outlook Express, then the worm will not
work.
Microsoft has more information on this problem available at:
http://www.microsoft.com/Security/Bulletins/MS99-032faq.asp
They have also a patch to fix this problem at
http://www.microsoft.com/security/Bulletins/ms99-032.asp
[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure]
Profile
Name
WScript/Kak.worm
Aliases
JS/Kak.worm, Kagou-Anti-Kro$oft, Kak, VBS.Kak.Worm, VBS/Kak, Wscript.Kak,
Wscript.KakWorm
Variants
None
Related Viruses
VBS/Bubbleboy
Related Downloads
None
Date Added
12/31/99
Information
Discovery Date: 12/31/99
Origin: France
Type: Virus
SubType: VbScript
Risk Assessment: Medium
Minimum DAT: 4051 (11/10/99)
Minimum Engine: 4.0.25
Characteristics
*Update: March 2, 2000 - Virus Patrol continues to identify more occurrences
of this Internet worm in newsgroup postings which is an indication that this
is spreading further. This worm was first discovered by AVERT in December
and added detection for it within 4051 DAT updates. AVERT recommends adding
".HTA" to file extensions scanned for protection, and also ensure users have
installed the security patch from Microsoft mentioned below.
Another dangerous aspect of this Internet worm is the ability to
continuously re-infect yourself if the preview pane is enabled and you
browse between folders specifically the "sent" folder which happens to
contain the Internet worm within a message. This is another strong reason to
update to the security patch, if not already.*
This is an Internet worm which uses ActiveX and Windows Scripting Host to
propagate itself through email using MS Outlook Express 5. This worm
consists of 3 components, an HTA file (HTML for Applications), a REG file
(Registration Entries Update) and a BAT file (MS-DOS Batch).
The method used to integrate these components is to have first composed an
email message in HTML which supports scripting. Using an ActiveX exploit
known as "Scriptlet TypeLib", the script writes an HTA file to the local
machine, typically in the startup folder. This will launch the code embedded
in the HTA file at the next Windows startup. Microsoft has published a
security update which addresses this ActiveX exploit and users are
encouraged to update their systems with this component. With this update
installed, users are questioned if they wish to run the ActiveX control
which is marked "safe for scripting".
For more details on this vulnerability and to obtain a patch from Microsoft,
see this link:
Microsoft Securtity Bulletin
For current security bulletins from Microsoft, see this link:
Current Bulletins.
Email messages written in HTML format will be coded with the Internet worm
on infected systems due to the default signature modification on infected
systems. The email application Outlook Express is a target of this Internet
worm for propagation due to its support for HTML format messages. If an
email message is coded with the WScript/Kak.worm code and it is allowed to
run, files are written to the local machine in different locations-
c:\windows\kak.htm
c:\windows\system\(name).hta
c:\windows\Menu D�marrer\Programmes\D�marrage\kak.hta
c:\windows\Start Menu\Programs\StartUp\kak.hta
In the above list, "(name)" is a random 8 character name (e.g.
98278AE0.HTA). The path name of "D�marrage" gives us an indication that its
origin is France with target installations of French Windows 9x operating
systems; the secondary path targets English installations.
The AUTOEXEC.BAT file is modified to run the file KAK.HTA and then delete it
from its folder location. The system registry is also modified when the
script executes a shell registry update using regedit and the REG file
written to the local system. The registry modification is this-
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
cAg0u = "C:\WINDOWS\SYSTEM\(name).hta"
The entry "(name)" is a random 8 character name (e.g. 98278AE0.HTA).
The email spreading method is possible by a registry modification which adds
a signature to MS Outlook Express 5. The signature is set to include the
file "C:\WINDOWS\kak.htm" and is set as the default signature such that the
worm is spread on all outgoing email if the signature is included.
The contents of the HTM file are just a small file which consists of script
to run the KAK.HTA file which already exists on the target machine. The code
looks specifically for browser versions IE5 or NetScape Navigator higher
than v4.0. Finally this worm also has a payload which is date activated.
On the 1st of the month, and beginning from 6PM local time, a message is
displayed:
"Kagou-Anti-Kro$oft says not today!"
Symptoms
Recipients of messages which contain Wscript/Kak.worm may receive warning
messages such as:
"Do you want to allow software such as ActiveX controls and plug-ins to
run?"
Users should select "NO" to this question. Also another warning dialogue box
could be displayed:
"Scripts are usually safe. Do you want to allow scripts to run?"
Users should select "NO" also to this question. Further indications of
infection are the existence of files KAK.HTA and KAK.HTM as mentioned above,
registry modifications as mentioned above, added or modified default
signature as mentioned above.
On the 1st of the month, and beginning from 6PM local time, a message is
displayed:
"Kagou-Anti-Kro$oft says not today!"
Another possible message is a fake error message with this description:
"S3 driver memory alloc failed"
After this, Windows is instructed to shutdown.
Method Of Infection
Opening email messages which are composed in HTML format and which contain
the script will install the Internet worm on supported systems as mentioned
above. The HTA file is written to the local machine as is the HTM file and
both are created at system startup, and with each composition of HTML format
email message.
Removal of this Internet worm consists of several steps:
* close email client(s)
* install the MS patch mentioned above
* remove KAK.HTA and/or KAK.HTM
* turn off "preview pane"
* delete the default email signature
* delete messages which are not needed which may contain the embedded script
Removal Instructions
Use specified engine and DAT files for detection and removal. Delete files
found to contain this detection.
----- Hemat Bandwith : Hapus pesan yang tidak perlu sebelum reply -----
SUBSCRIBE---> To: [EMAIL PROTECTED], Isi/Body: kosong
UNSUBSCRIBE---> To: [EMAIL PROTECTED], Isi/Body: kosong
