1. /
  2. Security Response/
  3. Wscript.KakWorm

Wscript.KakWorm

Risk Level 2: Low

Discovered:
December 30, 1999
Updated:
February 13, 2007 11:56:12 AM
Also Known As:
VBS.Kak.Worm, VBS.Kak.Worm.dr, Kagou-Anti-Krosoft, Wscript.Kak.A, JS/Kak.Worm [Panda], Mid/Kakworm, JS_KAKWORM.A [Trend], I-Worm.KakWorm [Kaspersky], JS/Kak@M [McAfee], VBS/Kakworm [Sophos]
Type:
Worm
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
CVE References:
CVE-1999-0668


Wscript.KakWorm spreads using Microsoft Outlook Express. It attaches itself to all outgoing messages using the Signature feature of Outlook Express and Internet Explorer newsgroup reader.
The worm utilizes a known Microsoft Outlook Express security hole so that a viral file is created on the system without having to run any attachment. Simply reading the received email message causes the virus to be placed on the system.
Microsoft has patched this security hole. The patch is available at:

http://www.microsoft.com/technet/ie/tools/scrpteye.asp

If you have a patched version of Outlook Express, this worm will not work automatically.

Symantec has also created an interactive tutorial to help you get rid of this worm.

NOTES:
  • This document contains information about the Wscript.KakWorm. There are differences between Wscript.KakWorm and the next major variant of this worm, Wscript.KakWorm.B (note the "B"). The removal procedures are different.
  • Although this worm can be forwarded or detected in email on a Windows NT or Windows 2000 system, it infects only Windows 95/98 systems.
  • If Norton AntiVirus has detected the Wscript.KakWorm and you cannot download email, then see the document Cannot download email after you delete or quarantine an email message infected with the Wscript.KakWorm.
  • While computers running either unpatched Microsoft Outlook or Outlook Express can be infected, only Outlook Express can automatically spread the infection.
  • One indication of this worm--though it does not occur on all systems--is the message "Driver or memory error" that appears briefly as Windows starts.





Additional precautions that you can take:
Some threats, such as this one, use the VBScript computer language to run. You can protect yourself from threats that use this language by enabling Script Blocking (Norton AntiVirus 2001/2002) or by disabling or uninstalling the Windows Scripting Host. Because the Windows Scripting Host is an optional part of Windows, it can be safely removed from your computer. (Some programs, however, need Windows Scripting Host in order to function properly.)
  • If you are using Norton AntiVirus 2002, which includes Script Blocking, make sure that Script Blocking is enabled (the default).
  • If you are using Norton AntiVirus 2001, a free program update that includes Script Blocking is available. Please run LiveUpdate to obtain this.
  • For other versions of Norton AntiVirus, SARC offers a tool to disable the Windows Scripting Host.
  • To disable the Windows Scripting Host in Microsoft Outlook Express only, see the Microsoft Knowledge Base document OLEXP: How to Disable Active Scripting in Outlook Express, Article ID: Q192846.


Antivirus Protection Dates

  • Initial Rapid Release version December 30, 1999
  • Latest Rapid Release version December 30, 1999
  • Initial Daily Certified version December 30, 1999
  • Latest Daily Certified version December 30, 1999
  • Initial Weekly Certified release date December 30, 1999
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: More than 1000
  • Number of Sites: More than 10
  • Geographical Distribution: High
  • Threat Containment: Moderate
  • Removal: Moderate

Damage

  • Damage Level: Medium

Distribution

  • Distribution Level: High
Writeup By: Eric Chien

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver