Computer virus. "Wscript.kak.worm"

[Al]

Hi, I have just gotten my computer cleaned up. I have been coasting along with my virus program turned off, and not updated for about a year and a half. About a week ago I turned my computer on about 6 o-clock and received the following message: “HTM ERROR”. “Kagou-Anti-Kro$oft says not today!”. If you click OK it would shut the computer down. In the morning it would be OK, but in the evening it wouldn’t work. We have since discovered that during execution the worm checks the system date and time. If the day comes first and the hour setting is greater than 17, an alert box displays the above message. The worm is called WSCRIPT/KAK, and needs MS 98 and Outlook Express 5.0. “Wscript.Kak”uses a known Internet Explorer5 exploit to write its code in the Windows startup directory as “Kak.HTA. It also writes parts of its code to Kak.HTM and creates a copy of itself in the System directory , which will be registered under the following register key: “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current\Version\Run\cAgOu”. This causes repeated execution when Windows is started. NOTE: A LARGE PORTION OF THE ABOVE INFO WAS OBTAINED FROM THE COMPUTER ASSOCIATES WEB SITE. It was free and I want to give credit where credit is due. The file we found written to my registry was: “C:\Windows\system\F(@FE8AO……..and more. The worm was written to my registry on August 21, 2000 from an e-mail I received. I was not aware of its existence until after the 1st of the month. I must have been sharing it since the 21st with every e-mail I sent. It attaches itself to every e-mail you send and you have no idea you are sending it. It is my understanding that if you aren’t using Win 98 and Outlook Express 5.0 it is not supposed to affect you at all. My friend that helps me with my computer, when we discovered the file, copied it and e-mailed it to himself to study it. We weren’t sure it was a Virus at that time. He said when he opened it, it made his Netscape act weird. He then went removed it and went looking on the net and we found out what we had. I installed Mc Afee virus scan and it immediately identified the “worm”. I have not been doing anything or answering ANY e-mails until I was sure I had my computer clean. Any of you that have e-mailed me and have not heard from me this is why. I have received 6 e-mails from club members that have the virus attached. Mc Afee caught them all. I will contact each of these people and let them know they need to check their computers. I am sorry if I caused any problem for any of you, It certainly wasn’t intentional. Please visit this site for more info on this “worm”: http://www.cai.com/press/2000/01/wscript_kak.htm Thanks again for your patience. Al

[Kent]

Al, Thanks for alerting me to this one, especially since I get a ton of email, much of it from club members. I updated my McAfee and scanned everything. Luckily, I was clean.... I wonder if some of the strange problems with the clubhouse that I keep hearing about are virus-related... HMMM! Kent

[BrianS]

Thanks Al. I had the same KAK thing show up at about the same time. I did a posting in the discussion forum about a week ago on problems I've been having with viewing items for sale. Now I can't view items wanted at all. I'm running Norton Anti-virus and it didn't see any thing. Guess I'll be looking for updates. Thanks again I've bee racking my brain.

[JeffNemes]

Yes its a tricky one for sure. The last I looked it was the 3rd largest virus out there. It can't infect IE4 but I have lost some folders in deleteing it anyway. Norton just came out with a "search and destroy" for preventive maintenance if you use IE5 so hopefully it will slow down.