 | This article includes a list of general references, but it lacks sufficient corresponding inline citations .(March 2010) |
| Initial release | 1999 |
|---|---|
| Operating system | Microsoft Windows |
| Type | Computer worm |
KAK (Kagou Anti Kro$oft) is a 1999 JavaScript worm that uses a bug in Outlook Express to spread itself. [1]
On the first day of every month, at 6:00 pm, the worm uses SHUTDOWN.EXE to initiate a shutdown and show a popup with text "Kagou-anti-Kro$oft says not today!". A minimized window often appears on startup with the title "Driver Memory Error". Another message saying "S3 Driver Memory Alloc Failed!" occasionally pops up. The worm also adds a registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cAg0u and edits AUTOEXEC.BAT to make Windows launch it on startup.
The worm adds these commands to AUTOEXEC.BAT:
@ECHO off C:\Windows\Start Menu\Programs\StartUp\kak.hta DEL C:\Windows\Start Menu\Programs\StartUp\kak.hta
KAK works by exploiting a vulnerability in Microsoft Internet Explorer, which Outlook Express uses to render HTML email. The vulnerability concerns the ActiveX control "Scriptlet.Typelib" which is usually used to create new type libraries (".tlb" files). However, the control does not set any restrictions on what content goes into the type library file or what file extension it should have. Therefore, the control can be abused to create a file with any content and with any extension.
Since Microsoft did not foresee the ability to abuse the control in this way, they marked it as "safe for scripting" in Internet Explorer's default security settings. This means that scripts including this control don't need the user's permission in order to run. KAK embeds such abusive code in the signature of an email message, so that the code runs when the email is viewed or previewed in Outlook Express (because Outlook Express uses Internet Explorer to provide this view/preview functionality for HTML emails).
KAK uses "Scriptlet.Typelib" to create a file called "kak.hta" in the StartUp folder. This file contains further code that will be run the next time the machine starts up. Since the HTA is not rendered in Internet Explorer but executed using Windows Scripting Host, code placed by KAK in this file has even more privileges than the code it put into the email signature.
Next time the machine starts up and "kak.hta" runs, KAK performs a number of actions such as:
VBScript is a deprecated Active Scripting language developed by Microsoft that is modeled on Visual Basic. It allows Microsoft Windows system administrators to generate powerful tools for managing computers without error handling and with subroutines and other advanced programming constructs. It can give the user complete control over many aspects of their computing environment.
Windows Millennium Edition, or Windows Me, often capitalized as Windows ME, is an operating system developed by Microsoft as part of its Windows 9x family of Microsoft Windows operating systems. It was officially codenamed as Millennium. It is the successor to Windows 98, and was released to manufacturing on June 19, 2000, and then to retail on September 14, 2000. Windows Me is the last version of Windows 9x. It was Microsoft's main operating system for home users until the introduction of its successor Windows XP on October 25, 2001.
This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.
Microsoft Outlook is a personal information manager software system from Microsoft, available as a part of the Microsoft 365 software suites. Though primarily being popular as an email client for businesses, Outlook also includes functions such as calendaring, task managing, contact managing, note-taking, journal logging, web browsing, and RSS news aggregation.
Outlook Express, formerly known as Microsoft Internet Mail and News, is a discontinued email and news client included with Internet Explorer versions 3.0 through 6.0. As such, it was bundled with several versions of Microsoft Windows, from Windows 98 to Windows Server 2003, and was available for Windows 3.x, Windows NT 3.51, Windows 95, Mac System 7, Mac OS 8, and Mac OS 9. In Windows Vista, Outlook Express was superseded by Windows Mail.
The Bat! is an email client for the Microsoft Windows operating system, developed by Moldovan software company Ritlabs. It is sold as shareware and offered in three editions: Home Edition, Professional Edition, and Voyager which is a portable version and is included with Professional Edition.
Microsoft Entourage is a discontinued e-mail client and personal information manager that was developed by Microsoft for Mac OS 8.5 and later. Microsoft first released Entourage in October 2000 as part of the Microsoft Office 2001 office suite; Office 98, the previous version of Microsoft Office for the classic Mac OS included Outlook Express 5. The last version was Entourage: Mac 2008, part of Microsoft Office 2008 for Mac, released on January 15, 2008. Entourage was replaced by Outlook for Macintosh in Microsoft Office for Mac 2011, released on October 26, 2010.
AUTOEXEC.BAT is a system file that was originally on DOS-type operating systems. It is a plain-text batch file in the root directory of the boot device. The name of the file is an abbreviation of "automatic execution", which describes its function in automatically executing commands on system startup; the filename was coined in response to the 8.3 filename limitations of the FAT file system family.
ILOVEYOU, sometimes referred to as the Love Bug or Loveletter, was a computer worm that infected over ten million Windows personal computers on and after May 5, 2000. It started spreading as an email message with the subject line "ILOVEYOU" and the attachment "LOVE-LETTER-FOR-YOU.TXT.vbs." At the time, Windows computers often hid the latter file extension by default because it is an extension for a file type that Windows knows, leading unwitting users to think it was a normal text file. Opening the attachment activates the Visual Basic script. First, the worm inflicts damage on the local machine, overwriting random files, then, it copies itself to all addresses in the Windows Address Book used by Microsoft Outlook, allowing it to spread much faster than any other previous email worm.
ClickOnce is a component of Microsoft .NET Framework 2.0 and later, and supports deploying applications made with Windows Forms or Windows Presentation Foundation. It is similar to Java Web Start for the Java Platform or Zero Install for Linux.
Windows Address Book was a component of Microsoft Windows that lets users keep a single list of contacts that can be shared by multiple programs. It is most commonly used by Outlook Express. It was introduced with Internet Explorer 3 in 1996 and improved in subsequent versions. The Windows Address Book API can query LDAP servers or read/write data to a local .wab file. In Windows Vista, Windows Address Book was replaced with Windows Contacts.
Windows Messaging, initially called Microsoft Exchange Client, is an email client that was included with Windows 95, Windows 98, and Windows NT 4.0.
An HTML Application (HTA) is a Microsoft Windows program whose source code consists of HTML, Dynamic HTML, and one or more scripting languages supported by Internet Explorer, such as VBScript or JScript. The HTML is used to generate the user interface, and the scripting language is used for the program logic. An HTA executes without the constraints of the internet browser security model; in fact, it executes as a "fully trusted" application.
The booting process of Microsoft Windows varies between different releases.
A batch file is a script file in DOS, OS/2 and Microsoft Windows. It consists of a series of commands to be executed by the command-line interpreter, stored in a plain text file. A batch file may contain any command the interpreter accepts interactively and use constructs that enable conditional branching and looping within the batch file, such as IF, FOR, and GOTO labels. The term "batch" is from batch processing, meaning "non-interactive execution", though a batch file might not process a batch of multiple data.
The Pikachu virus, also referred to as Pokey or the Pokémon virus, was a computer worm believed to be the first malware geared at children, due to its incorporation of Pikachu, a creature from the Pokémon media franchise. It was considered similar to the Love Bug, albeit slower in its spread and less dangerous.
The Windows 9x series of operating systems refers to the monolithic kernel which powers these operating systems. The basic code is similar in function to MS-DOS. As a 16-/32-bit hybrid, it requires support from MS-DOS to operate.
An Internet Explorer shell is any computer program that uses the Internet Explorer browser engine, known as MSHTML and previously Trident. This engine is closed-source, but Microsoft has exposed an application programming interface (API) that permits the developers to instantiate either MSHTML or a full-fledged chromeless Internet Explorer within the graphical user interface of their software.
Gruel, also referred to by F-Secure as Fakerr, was a worm first surfacing in 2003 targeting Microsoft Windows platforms such as Windows 9x, Windows ME, Windows 2000 and Windows XP. It spread via email and file sharing networks.
Mail is an email client developed by Microsoft and included in Windows Vista and later versions of Windows. It is available as the successor to Outlook Express, which was either included with, or released for Internet Explorer 3.0 and later versions of Internet Explorer. It is set to be replaced by Outlook for Windows.
 | This malware-related article is a stub. You can help Wikipedia by expanding it. |