A Personal Case of Being Infected by an E·mail Virus
Copyright © 2000, by Walter Robinson II, All Rights Reserved.
As hard as it may be to believe, the computer I use most of the time
(which was my wife's at the time I composed this page) was infected by a virus. It crept into our system about ONE WEEK
after I had composed and posted the above article entitled, The
Perils Of Copiously Forwarding E·mail And Sending Bulk Addressed Emailings. The
following is what happened.
On Saturday, November 11, 2000, I had turned the computer on, and had
been on and off the web several times. I had been searching the World Wide Web and also
checking for and receiving e·mail. However, I had not tried to send any. I had also spent a
lot of time deleting multiply addressed e·mails, mostly of the 'forwarded' type from my
Microsoft Outlook e·mail accounts. I turned the computer off some two hours later.
I attended a funeral, took care of another matter, then returned home
and turned the computer back on about two and one half hours later to check for
e·mail. The
machine seemed to boot normally. However, right after I typed in my Windows password I
noticed a minimized button on my 'Task Bar' that simply said, "driver memory
error." It disappeared after being briefly visible for only two to three seconds, and
everything seem okay. Yet, experience has taught me that such quirks can be indicative of
more serious underlying system problems. I have also learned that the sooner you correct
such problems the better off you will be.
I immediately shut down and rebooted a few times hoping that it was
just a system glitch that would correct itself. But the annoying button repeatedly
appeared and quickly disappeared. I then ran "MS Info" and checked my start up
configuration and noticed that my system's registry was now set to call a file called,
"kak." I also noticed that two lines of new instruction had been added to my
autoexec.bat file. They also called for a file with the "kak" string in its
name.
I then searched my hard drive for "kak" and discovered that
I had several other files in my Widows directory and elsewhere that had the same string in
their name. I tried to remove the files and turn off the registry and autoexec.bat file
instructions, and then rebooted. But when my system came back up the little button
returned and all the files and program instructions had been restored! I had never
contacted a virus before; but it now looked like I had been hit!
I decided to try to get on the Internet and search for 'kak.hta.'
Thankfully, my system still worked enough to connect to the Internet and allow me to
initiate a keyword search. Sure enough, several pages came up that made reference to
a virus named 'Kakworm.'
It took nearly two hours to find the necessary fix and software to
rid my system of the malevolent program. Thankfully, it was nothing more serious--such as
corrupting files or deleted all files on my hard drive.
I was also thankful that I was using Microsoft Outlook,
instead of Microsoft Outlook Express. I soon discovered that if I had
been using the latter, and if I had sent out any any mail while infected, I would have
passed the virus on to others!
I found several web pages that described the virus and methods on how
to rid your system of it. What I discovered only reinforced what I had stated in the
previous article about proper Internet Practices mentioned above. I found one page most
helpful and simple to follow. It is entitled Wscript_KAKWorm or VBS_KAKWorm
- Virus Removal Instructions - Kagou-Anti-Kro$oft and it is located on
the "PC HELL" website (sorry, but that is the name of the site). What
it said in part about this virus is as follows:
The Wscript KAK Worm is a worm/virus that attacks systems using
Outlook Express. It uses a known security vulnerability to attach
itself to every e·mail sent from an infected system. It is written with Javascript and it
attacks both the English and French versions of Windows 95/98, if Outlook Express 5 is
installed.
What makes this worm unique is its ability to infect a system by
someone simply reading or previewing an e·mail message. The worm hides in the HTML of the
e·mail itself. When the message is previewed or opened by the recipient, the worm
automatically takes control and infects the computer.
If neither Outlook Express nor MS Internet Explorer 5.0 are
installed, the worm is not able to infect the machine. The worm has another potential side
effect as well. On the 1st day of any month and the hour is 5:00pm, the following message
is displayed and Windows is sent a command to shutdown. You may also see a "Driver
Memory Error" occur when starting Windows.
Another article entitled, Focus on VBS/Kakworm: are you
protected? at Sophos Anti-Virus website also stated this:
VBS/Kakworm appears to be extremely widespread, and Sophos
researchers believe this is largely because individuals and companies have not applied a
patch first issued by Microsoft in August 1999.
The same site has another page on the analysis of the virus
that adds:
The worm will run if the user has Internet Explorer, Outlook or Outlook Express,
but it will only spread to other users if Outlook Express is used to send
e·mail.
Even if you receive an infected message, you cannot be affected unless you have an
Internet Explorer based product installed.
The worm arrives embedded in an e·mail message as the message HTML signature. The
recipient of the message cannot see any visible symptoms as there is no displayable text
in the signature.
If the user opens or previews the infected e·mail message the worm drops file KAK.HTA into the Windows start-up folder. KAK.HTA runs the next time Windows is started,
creates the C:\WINDOWS\KAK.HTM file and changes the Microsoft Outlook Express registry
settings so that the KAK.HTM is automatically included in every outgoing message as a
signature. The KAK.HTA also changes the Windows registry that it includes the name of the
worm file.
On the 1st of any month after 5 p.m. the worm displays the message
"Kagou-Anti-Kro$oft says not today" and runs Windows shutdown.
Further-- and are you ready for this--Microsoft itself has some
ominous words to offer about the specific weakness inherent in the Windows operating
system that allows viruses such as Kakworm to infiltrate it. The page is entitled, Microsoft Security Program: Microsoft Security Bulletin (MS99-032),
and the following is stated:
Microsoft has released a patch that eliminates security
vulnerabilities in two ActiveX controls. The net effect of the vulnerabilities is that a
web page could take unauthorized action against a person who visited it. Specifically,
the web page would be able to do anything on the computer that the user could do.
(Emphasis mine)
I have been using personal computers since 1979, and I have a pretty
extensive technical background in digital electronics and accumulated experience. That and
the Lord's grace enabled me to recognize and pinpoint the problem, and then repair it. But
what would you do if you had gotten infected? Would you have recognized it before
you sent e·mail to someone else and infected them as someone did it to me? Just think, with
multiply addressed self composed or 'forwarded' e·mails you could literally infect all the
friends listed in your address book with other viruses that work like this one! I must
also point out that new viruses are being written everyday.
I prefer to believe that my loving God allowed this to happen to me
so that I could pass on the warning and also press the importance of using proper Internet
Practices. Simply put, do not readily and regularly receive and forward 'forwarded'
e·mail,
except in specially warranted cases such as with prayer requests. And when you do, make
sure that you put all addresses in the 'Bcc' (blind carbon copy) box to keep your friends'
e·mail addresses private.
I hope this document helps to equip you with knowledge so that you
may be wiser in e·mail communications.
NOTE: If you have been having problems with this particular virus
please do not write me! As stated above I could not have infected anyone with the virus
because I do not use Outlook Express. Yet, I have included links in the document that will
connect you to the above sources that will tell you how to fix your system.
(WTRII)
Visitors have viewed this page since
September 24, 2004
(NOTE: All preexisting page counters were
reset to
zero when my server crashed in March of 2004.
It took until April 1, 2004 to get them working again.)
Copyright © 2000 Last Chance Ministries. All rights reserved.
Revised: June 13, 2006.
|
