R. Jayakumar jakku at mrna.tn.nic.in
Sat Oct 28 08:35:44 EST 2000

Dear friends
     My computer had got inadvertently infected with the JS/KAK worm virus
through my outlook express 5.0 mail client.  I am sorry to say, that whoever
has been reading my mail for the past few months using outlook express 5.0
and above should be infected by the virus by now.  I really apologise for
it.  I have detected it and removed the virus from the system after spotting
it.  You can also remove it quite easily by following the instruction given
       The virus also slows down the PC a lot.
    I am again sorry for all the trouble.


Kak is a worm that - like BubbleBoy - embeds itself without any attachment
to every e-mail sent from the infected system. For further information about
BubbleBoy, see the description: http://www.F-Secure.com/v-descs/bubb-boy.htm

Kak is written in JavaScript and it works on both English and French
versions of Windows 95/98 if Outlook Express 5.0 is installed. It does not
work in a typical Windows NT installation.

The worm uses a known security vulnerability that is in Outlook Express.
Once the user receives an infected e-mail message and opens or views the
message in the preview pane, the worm creates a file "kak.hta" to the
Windows Startup directory.

Next time the system is restarted, the worm activates. It replaces
"c:\autoexec.bat" with a batch file that deletes the worm from the Startup
directory. The original "autoexec.bat" is copied to "C:\AE.KAK".

Also, It modifies the message signature settings of Outlook Express 5.0 by
replacing the current signature with an infected file, "C:\Windows\kak.htm".

Therefore every message sent with Outlook Express will contain the worm
after this has been done.

Then it modifies the Windows registry in such a way that it will be executed
in every system startup. The key it adds to the registry is:


The .hta file that the virus creates and executes in the future is saved to
Windows System directory. On the first day of each month, if the number of
hours is more than 17 (i.e. 6pm or later), the worm will show an alert box
with the following text:

    Kagou-Anit-Kro$oft say not today!

Then the worm shuts down Windows.

F-Secure Anti-Virus detects the worm. When the worm has been detected, the
user should delete the following files, if they exist:

        where (filename) is a variable, and it changes from one system
        to another
Note by me: the file is a combination of numbers and alphabets like
3fe56bt.hta. delete this file.

    C:\Windows\Start Menu\Programs\Startup\kak.hta
    C:\Windows\Menu Demarrer\Programmes\Demarrage\kak.hta

The "autoexec.bat" file can be restored by renaming "C:\AE.KAK" to

also remove the registry key if it exists.

Kak uses a known security hole in Microsoft Outlook Express to create the
local HTA file.

If active scripting is disabled from Outlook Express, the worm will not

Microsoft has more information on this problem available at:

They also have a patch to fix this problem at:

[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure]


More information about the Info-gcg mailing list

Send comments to us at biosci-help [At] net.bio.net