Beware the mass-marketing 'kak' virus Computer hardware seller Shoppingplanet.com accidentally sent out bug with its regular customer e-mail newsletter to 50,000 subscribers, followed by a hasty warning.

By Bob Sullivan, MSNBC May 26, 2000 3:41 PM PT

Online computer retailer Shoppingplanet.com sent out the computer virus "kak" Thursday with its regular customer e-mail newsletter. About 50,000 subscribers received the e-mail and the virus, according to the company. It sent a second note to its customers later that night with a terse warning: "Please delete our previous newsletter. Potential Virus threat attached to our previous email newsletter." The company sent out the warning note to its subscribers immediately upon discovering it had sent out the virus, said spokeswoman Kathryn Jensen

http://www.zdnet.com/zdnn/stories/news/0,4586,2578234,00.html

-- Martin Thompson (mthom1927@aol.com), May 27, 2000

Answers

Kak Worm Threatens IE5 And Office 2000 Users Since the first of the year, this worm has been lurking the Web with the potential for harm.

By Robert Vamosi, Help & How-To May 12, 2000 10:35 AM PT

May 5, 2000 It could have been a contender. The Kak worm has been lurking the Web since the first of the year. Fortunately, it hasn't spread very fast nor has it caused much damage. Still the potential exists for Windows 9x users of Microsoft Outlook Express found in Internet Explorer 5.0 or Office 2000. The Kak worm attaches itself to the outgoing signature files in Outlook Express. It can modify registry files and shut down Windows.

How it works What is different about Kak, hence the danger, is that it is an automatic worm. This means a user doesn't have to open the attachment to become infected. Just reading the e-mail is enough. The worm uses known security holes in Outlook Express. These ActiveX vulnerabilities allow a malicious file to be created on an infected computer without the user knowing. The worm copies a file called KAK.HTA to the user's hard drive. The worm then renames the current Autoexec.bat file to AE.KAK, and creates a new Autoexec.bat file that runs the KAK.HTA file. Current versions of Internet Explorer and Netscape Navigator can execute .HTA files. The computer must be restarted before the file executes. The payload of this KAK.HTA file runs on the first day of every month at 6 PM local time. Users will see the following message: "Kagou-Anti-Kro$oft says not today!" and the computer will shut down.

Another possible message is a bogus error "S3 driver memory alloc failed."

http://www.zdnet.com/zdnn/stories/news/0,4586,2567767,00.html? chkpt=zdnnrla

-- Martin Thompson (mthom1927@aol.com), May 27, 2000.