Check it Out!    
RideCamp@endurance.net
[Date Prev] [Date Next] [Thread Prev] [Thread Next]
[Date Index] [Thread Index] [Author Index] [Subject Index]

Re: RC: Active X- REPAIR



Yes, Claudia
That was the post where she was replying to Kristine Hammond --her post
asking how to get into archives and got it from her. Both posts are
locked in my quarantine vault. Another case where folks should go get
the patch plugging up the Microsoft Internet Explorer if they are going
to receive posts from this list. Again, here is the info on that (people
are probably nervous about opening attachments at this point so I am
just printing the instructions below):   
Bette



This Outlook Email worm depends on a security hole in Internet
Explorer 5, and has an annoying payload that involves displaying a
message and shutting down the host PC based on the time and date.

Kak depends on the same ActiveX security vulnerability as BubbleBoy.
As with BubbleBoy, simply reading messages that have Kak embedded
in them, or even just previewing them in some versions of Outlook or
OutLook Express, causes Kak to run, should the host machine not have
had the security vulnerability patched. Because Kak changes the Email
signature settings of Outlook Express 5 to include a copy of its code in
outgoing messages, some people have started using the term
"signature virus". This is, unfortunately, misleading. Although Kak adds
or replaces an affected user's Email signature, the virus works because
of security holes in a very widely-used web browser and because of that
browser's lenient default security settings for scripting and other
"active
content". Further, the term "signature virus" has caused some people to
focus on visible Email signatures, which is counterproductive in Kak's
case as its HTML signature is comprised of JavaScript code only and
thus has no visible manifestation in its carrier messages.

The security hole Kak uses is known as the "Scriptlet.TypeLib" exploit
after the ActiveX control involved. The vulnerability is caused because,
during the installation of Internet Explorer, it is marked "safe for
scripting" despite the fact the control allows creation and modification
of
files on local drives. Because it is "safe for scripting", the default
security settings of Internet Explorer, Outlook and Outlook Express
allow
the control to be used without raising any security alerts. Thus, it can
be
called from scripts embedded in web pages or HTML Email messages
and write to the victim's hard drive without them being warned of this
serious security breach. Further details of this vulnerability, and a
similar one known as "Eyedog", are available from Microsoft at
http://www.microsoft.com/technet/security/bulletin/ms99-032.asp and
all users of machines with Internet Explorer 4.x or 5.0 installed are
recommended to read that page and install the patch it references, if
appropriate. Note that users of non-Microsoft Email and web browser
software may be at risk from these vulnerabilities if their software
depends on Microsoft's Internet Explorer ActiveX controls for displaying
HTML. Users of such browsers and HTML-capable Email programs
should check with the vendors of those products.

Also in keeping with BubbleBoy, Kak uses the Scriptlet.TypeLib hole in
an attempt to drop an HTA (HTML Application) file into the Windows
startup folder. 

A potential point of failure for Kak is that it has "C:\Windows"
hard-coded
as the name of the Windows installation directory. While that is the
default name and very widely used, this could prevent Kak working on a
non-default Windows installation, and is part of the reason it does not
work on default NT or Windows 2000 installations. Named "kak.hta", the
path for this file is also hard-coded, and only works on systems where
the Startup folder matches either
"C:\Windows\STARTM~1\Programs\StartUp" or
"C:\Windows\MENUDÉ~1\PROGRA~1\DÉMARR~1". Typically, these are
the "C:\Windows\Start Menu\Programs\StartUp" folders of English
language versions of Windows 9x and the "C:\Windows\Menu
Démarrer\Programmes\Démarrage" folders in French language
versions of the same OSes.

As the Scriptlet.TypeLib hole can only be exploited to write files, Kak
then has to wait for the next system restart or user login. When that
occurs, the code in "kak.hta" is run, and this is where the real work is
done. Kak.hta checks the existence of the aforementioned default
French and English Win9x startup directories, and records whichever it
finds first. It then checks for the existence of "C:\AE.KAK". If that
file does
not exist and the script is not running from a file called "kak.hta" it
copies "C:\AUTOEXEC.BAT" to "C:\AE.KAK" then appends two lines to
"C:\AUTOEXEC.BAT". The first redirects an ECHO command to the
"kak.hta" file in the appropriate startup directory and the second
deletes
that file. Thus, on an English language Win9x machine, the lines added
to AUTOEXEC.BAT are: 

@echo off> C:\Windows\STARTM~1\Programs\StartUp\kak.hta
del C:\Windows\STARTM~1\Programs\StartUp\kak.hta

The purpose of this code is to overwrite the
original "kak.hta" file, or any subsequent copies
created by the victim reading further "carrier"
messages or from re-reading carrier messages they
have kept or copies of afflicted messages in their
"Sent Items" folder. Redirecting the "ECHO OFF"
command into a file creates a zero-length file,
making recovery of the contents of the original
"kak.hta" file more difficult. Further, the test that
the running script is not in a file named "kak.hta"
means this part of the code does not run on initial
execution of Kak's main code. It will run when the
copy of "kak.hta", described below, executes
because of Kak's registry modifications (also
described below). Deleting itself from the startup
directory is presumably an attempt to reduce the
chance of early discovery, as its presence there
would be obvious to all but the most naive of
users. Following disinfection of Kak, these batch
file changes should be undone by deleting
AUTOEXEC.BAT and renaming AE.KAK to
AUTOEXEC.BAT, unless AUTOEXEC.BAT was
modified between infection and Kak's removal. In
that case, edit AUTOEXEC.BAT and delete the
lines Kak adds at the file's original end-point.

Next, Kak checks for the existence of a seemingly
random-named HTA file in the
"C:\Windows\System" directory. The name is
actually derived from the second through ninth
characters of the name of the last folder in the
"C:\Windows\Applic~1\Identities" folder. These
folder names match the CLSIDs of the user
identities that Outlook Express 5 can create, and
at least one will always exist (the default Outlook
Express user). If the HTA file based on the
selected user identity does not exist, Kak creates
such a file and copies itself there from "kak.hta" in
the Startup folder. A registry entry file
"C:\Windows\kak.reg" is then created, containing
settings to enable Outlook Express 5 Email
signatures for the chosen user identity, and to run
the newly-created HTA file at startup and login.
The latter is achieved by setting the "cAgOu" value
of the registry key
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
to the full path and filename of the HTA file
based on the user identity number. Regedit is then
executed via the WSH object's Run method,
merging the settings from "kak.reg" into the system
registry. 


A HTML file - "C:\Windows\kak.htm" - is created
next. 

The registry changes set Outlook Express 5 to use
that file as the Email signature of the selected
user. First, a simple HTML header is written to the
file, then a declaration to initialize a
Scriptlet.TypeLib object is written. Next, the bulk
of the worm's code is read from the HTA file in
"C:\Windows\System", after skipping some header
data in that file (due to its creation by the
Scriptlet.TypeLib processor). The body is
massaged to escape special characters so the
script interpreter regenerates the original code,
and that is written to the HTML file. When this is
completed, the file's attributes are set to hidden.

Finally, the day of the month and current hour are
checked. If it is 6:00pm or later on the 1st day of
any month, the following dialog is displayed:
                               


When this dialog box is closed, Kak calls a Win32 API function causing
Windows to shut down. As this code is in the HTA file set to run at each
startup and login, restarting an afflicted machine at or after 6:00pm on
the first day of any month results in the machine starting up,
displaying
the described message then shutting down. (Note: Many descriptions
of Kak erroneously claim this payload triggers "on or after 5:00pm". The
test in the code is "[...].getHours()>17" which is only true once 6:00pm
has been reached.)

Once the registry changes have been made and the "kak.htm" file is
created, the afflicted machine can start sending copies of Kak in
outgoing Email messages. Specifically, when the Outlook Express user
whose configuration was modified by Kak creates a new mail
message, the HTML code form of Kak is included in the message (from
the "kak.htm" signature file). The HTML code is only included in
messages created when the "send HTML Email" option is enabled, but
that is the default setting in Outlook Express 5 and few users change
it.

In summary, there are three phases to Kak's functioning. The first is
when the HTML form runs when previewing or reading a carrier
message - this creates the "kak.hta" file in the Startup directory.
Second,
the HTA form of the Kak's code runs from the "kak.hta" file during the
next startup. This runs as a local application, so can alter the
registry
and local files. It copies itself to a pseudo-random-named HTA file in
the Windows system directory, sets the registry to run that file at
startup
and alters Outlook Express 5 options to add the HTML form of its code
to outgoing Email messages as a signature. Its third stage adds
commands to AUTOEXEC.BAT to overwrite then delete a "kak.hta" file in
the Startup folder. Further, it will create another copy of itself in a
pseudo-random-named HTA file and set that to run at startup instead of
itself if further user identities have been added in Outlook Express 5
since it last ran.

To work fully, Kak requires Internet Explorer 5.0 and its version of
Outlook Express. Some of the code may work on machines with Internet
Explorer 4.x versions installed, but Kak's full cycle cannot run on such
machines.

Disinfection Notes
It is pointless disinfecting Kak from a machine without first correcting
the security flaw Kak depends on. Should you disinfect Kak but leave
the security hole open, the next Kak-carrying message read or
previewed on the machine will restart the cycle. This could be a
newly-received message from the source of the original infection, or an
infected message stored for later reference. This latter source of
potential re-infection includes copies of infected outgoing Email stored
in the Sent Items folder - an Outlook Express default few users disable.
If you know you have a Kak infection, do not send any more Email from
the afflicted machine(s) and implement one of the security fixes
described in the next paragraph, then clean up Kak, reset your Outlook
Express signature settings, etc. If you take one of the "short-cut"
security
fixes to expedite the disinfection, still schedule the installation of
the MS
patch as soon as practicable.

The best solution for securing machines with the Scriptlet.TypeLib
vulnerability is to refer to the Microsoft TechNet article mentioned
above
and apply the official patch. In the interim, you can also prevent the
Kak
code from running by disabling ActiveX support in the security context
in
which Outlook Express Email is read. This is done from the Security tab
of the Tools/Options dialog. Assuming the default security zone
definitions have not been changed, select the "Restricted Sites zone"
rather than the default, but less secure, "Internet zone". Check that
the
default settings for the "Restricted sites zone" apply from the Security
tab of the Internet control panel or the Security tab of Tools/Options
in
Internet Explorer. This less secure approach is far from desirable
alone, and the MS patch should still be installed. Note that regardless
of combinations of security zone settings and patches, Kak-infected
messages in your Email folders can still be forwarded intact, even
though reading them on a secured/patched system does not allow Kak
to run. To prevent stored, infected messages from being replied to or
forwarded in HTML form, set "Plain Text" as the Outlook Express "Mail
Sending Format" and disable the "Reply to messages using the format
in which they were sent" option - both are on the Send tab of
Tools/Options. These changes should be made for all afflicted users, at
a minimum.

Note: Although the preceding discussion focuses on Email, it applies
equally to HTML messages posted in Internet News for a as well.
Fortunately, "Plain Text" is the default message sending type for News
messages in Outlook Express. Several minor variants of Kak have been
found that appear to be the natural by-products of its code being viewed
in various browsers or HTML editors. Some of these minor code
changes have rendered the resulting files "undetectable" by some
scanners and some of these variants will not work on French language
versions of Windows.

Kak has been seen in the wild and was quite common by mid-to-late
February 2000. The official Microsoft security patch addressing the
vulnerability Kak depends on has been available since late-August
1999. That Kak became so widespread despite this further stresses
the importance of keeping up to date with security patches.

How to clean up:
By downloading and installing the latest updates your computer will be
protected.
If your computer is already infected then please use the following
steps.
1. Click Here to download a file called Kak.reg
2. Once the file has finished being downloaded, double click on the file
to run it. This file will reset the registry entry for Kak so that it
will not be
loaded when you next reboot your computer. 
3. Edit autoexec.bat to remove the 2 OTHER launch commands eg: 
C:\Windows\STARTM~1\Programs\StartUp\kak.hta 
C:\Windows\STARTM~1\Programs\StartUp\kak.hta 
4. Remove kak file from startup group to remove OTHER launch
command. To do this, right click on the Start button, select Open,
select
Programs, then Start Up. Next, right click on Kak and select the delete
option. 
5. Open email client and note the name of the default signature file.
Delete this file using explorer. 
6. Remove the default signature file. 
7. Check that you have the latest anti-virus update, and if it is not
the
latest, download and install it. 
8. Run a full scan over you computer to clean up any infected files. 
9. Download and install the eyedog patch which is available from
Microsoft at
http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
10. Close any applications that are open and reboot your computer.







Claudia Provin wrote:
> 
> I got an active X warning on Tracey's post about archives--it was also the
> one in html---Claudia
> 
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> Ridecamp is a service of Endurance Net, http://www.endurance.net.
> Information, Policy, Disclaimer: http://www.endurance.net/RideCamp
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

-- 
Bette Lamore
Whispering Oaks Arabians, Home of 16.2hh TLA Halynov
(yes, REALLY!)
http://www.arabiansporthorse.com



    Check it Out!    

Home    Events    Groups    Rider Directory    Market    RideCamp    Stuff

Back to TOC