Anatomy of an E-Mail Born Computer Virus

The Anatomy of an E-Mail Born Computer Virus

Thought it would be a good idea to let everyone know a bit more about e-mail born viruses. Wscript.Kak.Worm is another one of these e-mail born viruses that has been going around a lot lately. It appears to be less damaging but far more common (wide spread) than other viruses that we have heard about recently like the "Love Bug", which made the news. It is also a little bit older having much more time to get around having been discovered on December 27, 1999 (keep in mind that over 1,000 new viruses are identified every month).

One of the symptoms -- though it doesn't occur on all systems -- is the message "Driver Memory Error" that appears briefly as Windows starts up. This worm utilizes a known Microsoft Outlook Express security hole. It disseminates by piggy backing as a signature file on your HTML based e-mail messages.

A sure fire way to determine if you have the bug is to look in your windows sub-directory for a hidden file called KAK.HTM. This file would also be referenced as the signature file under your Outlook Express options.

The bad thing is that e-mail viruses like this one sometimes are not picked up by anti-virus software like the popular Norton Anti-Virus. By default Norton is setup to scan only program files, this reduces over head. It takes a much long time to scan all the files on your system, which is the other option. That is why these buggers are so hard to shield your self from because they hide themselves in what the system may consider to be data files, which is generally safe, HTML code is not when it contains redirection and/or ActiveX controls.

Know now that Anti-Virus software in general does not know how to properly remove a virus from your system. This is a concept that most users should rapidly familiarize them with. There are simply too many virus strains and too many ways they can attack your system. To properly remove a virus from you system with the least effort may be a job best left to to get a software technician (not a hardware geek). Although, I am not sure how many of them there are out there who would take on an assignment like this. The alternative, as I am sure most of you are aware is not very attractive because it involves reformatting your hard drive and rebuilding your system from scratch. A very good reason for doing full and regular, grand-fathered backups.

Typically what anti-virus software does is remove the source of the bug to prevent you from infecting others. Unfortunately, as in this case it may leave you infected. This is even more evident with polymorphic viruses. The Wscript.Kak.Worm bug infects two areas in the registry and it places code in the autoexec.bat, and it leaves other files on your system so it can re-infect you later. Stuff like this your friendly neighborhood computer tech may not understand. Although, I would keep them around, because you might need them to track the instructions down to manually remove one of these rascals.

In this manual resolution, Symantec overlooked one thing. You need to purge all the e-mail in your system that contains this virus, or you risk re-infecting yourself and others. It would also be a good idea to identify the messages that you sent which contained the virus, so you can keep track of who you infected. Unknowingly, you could potentially loose a lot of friends this way by infecting them and not telling.

Unfortunately, the Norton virus scanner cannot identify or remove individual messages from your folders. It will just identify the folders where the virus exists. By deleting the folders you risk loosing all that mail, and damaging your Outlook database. You can manually find the infected files by looking for an identifying signature, the same thing
the Anti-Virus software does.

In this case did a searched for the first segment in its Class ID, 06290BD5. I could have also looked for some other identifying feature like KAK.HTM a file it uses or "Kagou-Anti-Kro$oft", which is displayed on the screen when the virus triggers, and is what it is sometimes called. When deciding on something to search for you must choose something that will not be broken on a line. At first, I tried looking for "Driver Memory Error". But, this could be broken on any one of the words, and if you looked for the words individually you would get too many matches. If I sent you the virus, you could see for yourself.

You can not do a Find on this stuff in Outlook, because Outlook only searches through plain text, not HTML. If you don't have a resident virus scanner with what Norton calls Auto-Protect to catch this thing, get one and set the options to scan all files.

I also recommend that you install all the Critical Updates for Windows 95/96/NT by running the Windows Update under the Tools menu on Internet Explorer (version 4 and 5). Something called the "scriptlet.typelib/ Eyedog" patches the hole in Outlook Express that this thing comes in on.

If you don't already have a knowledgeable IT Consultant paid to research these problems and take care of you may be making a terrible mistake. Luckily, for all of us this virus is pretty lame, and somewhat benign (it only triggers once a month, on the first of the month). As such it serves as an excellent example.

P.S. FYI, this virus was found on a brand new computer with NAV installed with the latest AV definitions.

Return Home

Published May 18, 2000