Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
Sent by email.
It changes the Microsoft Outlook Express 5 registry settings, so that the file "%Windows%\KAK.HTM" is attached as signature to every composed email
If you already use a signature, it will no longer be used.
Wurm KAK only attacks English and French Windows 95/98 systems. It uses Microsoft Internet Explorer 5 to spread the infection, and Microsoft Outlook Express 5, as email Client. This means that the virus can be attached to every HTML email as Java Script.
It creates the file "KAK.HTA" in Windows autostart directory. It will be activated by the next system start. A window named "Driver Memory Error" will shortly display a message: "S3 driver memory alloc failed". In this time, the virus copies itself in Windows system directory with a new file name. This name is composed out of the first 8 letters of the last directory in the folder:
The worm is copied as "KAK.HTM" in Windows directory and modified, so that it can relaunch its attack.
The following registry entries are modified:
After completing its action, the worm modifies AUTOEXEC.BAT, so that the next time the system is restarted, the created files are deleted from autostart directory:
The original is saved as AE.KAK. But to ensure its activity, the new file is entered in the autostart registry of Windows System directory:
If Windows is started at 17:00 hours on the 1st of every month, the virus displays a message:
"Kagou-Anti-Kro$oft says not today!"
Description inserted by Crony Walker on Tuesday, June 15, 2004