PCの修理が必要ですか?
専門家に頼む
Alias:JS/Kak@M, Worm/KakWorm
Type:Worm 
Size:0 Bytes 
Origin: 
Date:06-08-2000 
Damage:Sent by email. 
VDF Version:6.20.00.00 
Danger:Medium 
Distribution:Medium 

DistributionIt changes the Microsoft Outlook Express 5 registry settings, so that the file "%Windows%\KAK.HTM" is attached as signature to every composed email
If you already use a signature, it will no longer be used.

Technical DetailsWurm KAK only attacks English and French Windows 95/98 systems. It uses Microsoft Internet Explorer 5 to spread the infection, and Microsoft Outlook Express 5, as email Client. This means that the virus can be attached to every HTML email as Java Script.
It creates the file "KAK.HTA" in Windows autostart directory. It will be activated by the next system start. A window named "Driver Memory Error" will shortly display a message: "S3 driver memory alloc failed". In this time, the virus copies itself in Windows system directory with a new file name. This name is composed out of the first 8 letters of the last directory in the folder:
C:\%WinDIR%%\Application Data\Identities.

The worm is copied as "KAK.HTM" in Windows directory and modified, so that it can relaunch its attack.
The following registry entries are modified:
[HKEY_CURRENT_USER\Identities\\Software\
Microsoft\Outlook Express\5.0\signatures]
"Default Signature"="00000000"
[HKEY_CURRENT_USER\Identities\
{DA71B880-3169-11D4-85A2-0020AFB6B97D}
\Software\Microsoft\Outlook Express\5.0\
signatures\00000000]
"name"="Signature #1"
"type"=dword:00000002
"text"=""
"file"="C:\\%WinDIR%\\kak.htm"

After completing its action, the worm modifies AUTOEXEC.BAT, so that the next time the system is restarted, the created files are deleted from autostart directory:
@echo off>C:\%WinDIR%\STARTM~1\Programs\StartUp\kak.hta
del C:\%WinDIR%\STARTM~1\Programs\StartUp\kak.hta
The original is saved as AE.KAK. But to ensure its activity, the new file is entered in the autostart registry of Windows System directory:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "cAg0u"="C:\\%WinDIR%\\%SystemDIR%\\DA71B880.hta"

If Windows is started at 17:00 hours on the 1st of every month, the virus displays a message:
"Kagou-Anti-Kro$oft says not today!"
説明の挿入者 Crony Walker の 2004年6月15日火曜日

戻る . . . .

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

マイアカウント

https:// このウィンドウは暗号化されています。