Fighting malware and spam

Tutorials - How to remove JS/KAK

Summary:	How to remove the JS/KAK worm from your system, and harden your system to related viruses
Updated:	25 October 2002
Author:	Gabor Szappanos
Company:	VirusBuster, Hungary
Sponsored by:

Procedure

Introduction

In order to understand the necessary steps in the removal process, it is useful to learn how the virus works.

System requirements for the virus

The following factors are needed for this virus to spread:

1. Most email clients are capable of handling HTML 'enhanced' email messages. Some of them, including Outlook and Outlook Express, use it as their default message format.
2. To render these messages, both Outlook and Outlook Express use Internet Explorer's HTML rendering engine. Whatever this can handle can be handled by the email client, including embedded scripts and ActiveX objects. The contents of an email message are considered to be in the Internet zone, so the same security restrictions apply to them as to most web pages. That is, only the ActiveX controls that are marked to be safe for scripting can be accessed. The problem is that several such controls, including Eyedog and scriptlet.typelib were marked safe, while they provide functionality to manipulate the registry and change/create files on the computer.

For JS/KAK to operate, the following requirements need to be fulfilled:

1. The computer must run Windows 95/98/ME, as the virus assumes that the location of the Windows installation directory is Windows and the system directory is System.
2. Internet Explorer 5.0, Windows Scripting Host and Outlook Express have to be installed on the computer.
3. Internet-zone security is not set to "high" in Internet Explorer's settings.

Virus operation details

When these conditions are met, and the user opens an infected email message in a vulnerable email client, the virus will be activated. It creates a file named KAK.HTA in the Windows Startup folder, and in the System folder, and registers itself to be run at startup by creating a subkey in the registry under:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run

It also changes the settings of Outlook Express by modifying the registry key:

HKEY_CURRENT_USER\Identities\{User}\ Software\Microsoft\Outlook Express 5.0\Signatures

The outgoing messages will contain KAK.HTM, a copy of the virus, as an automatic signature. Additionally, the virus appends two lines to the end of AUTOEXEC.BAT which will remove the temporary KAK.HTA file.

Removal

The following procedures should be performed to remove KAK from the computer

1. The Outlook Express Security Zone should be set to Restricted Sites Zone. The setting is available in the Security tab of the Tools|Options dialog. Additionally, it is advisable to change the Security settings of Outlook Express so that it will not run ActiveX components at all, or will prompt the user each time before running them. The Security tab of the Tools|Internet Options dialog should be selected. After selecting the Internet zone, the Custom Level ... button has to be pushed, then all options related to ActiveX components should be set to Disable or Prompt.
2. In the Tools|Options dialog under the Signature tab the KAK.HTM signature file should be removed.
3. The virus files, KAK.HTM and KAK.HTA, should be removed from the computer, either manually or by a virus scanner. The appended lines at the end of AUTOEXEC.BAT should also be removed.
4. In order to avoid re-infection, the security patch that fixes the ActiveX component misclassification should be downloaded and installed from the Microsoft website. The availability of the patch is described in Microsoft Security Bulletin MS99-032.

Quick Links

Poll

virusbtn: RT @emailsecmatters: The typical spam message has sources as diverse as the spam lunch meat: http://ht.ly/2yucd
2 hours ago

virusbtn: Can anyone write a rap about our RAP tests (http://bit.ly/255ySQ) and submit it to the Symantec competition http://bit.ly/bOJg8r
6 hours ago

VB100 certification