Kakworm takes advantage of a security vulnerability in Microsoft’s Internet Explorer browser and Outlook Express mail program.
KAK is transmitted embedded in the HTML signature to a message. Users don’t see it there because there is no displayable text (KAK is written in JavaScript).
Users do not need to click on any attachment or perform any action for KAK to activate. All that is necessary is for the user to view an infected message in the mail preview window (or open the mail and view the message).
Once activated, KAK saves the file KAK.HTA into the Windows Startup folder. The next time the computer is started, KAK.HTA runs and creates KAK.HTM in the Windows directory. The registry is changed so that KAK.HTM is included as a signature on all outgoing mails. This activity is controlled by a new \AUTOEXEC.BAT file (the original file is saved to \AE.KAK).
After 5pm on the 1st of any month the worm displays the message “Kagou-Anti-Kro$oft says not today” and then shuts the computer off.
KAK is based on Bubbleboy, the first worm able to spread without a user having to open an attachment.
 Some Virus Threat Details |
|
 |
 |
| CIH Spacefiller | Laroux |