In the ongoing series on computer viruses, we have already given considerable attention to the anatomy of a virus, its symptoms and modes of infection. In this article, I am going to talk on worms. These are a special type of viruses in the sense that they are more to annoy you rather than cause destruction. We will also take a look at kak.worm, the latest offering of the underground in this category.
A worm is a self-contained program or set of programs that can propagate from one machine to another. Unlike a virus, the computer worm does not need to modify a host program to spread. First notable instance of a worm is the Internet Worm, which supposedly originated in 1988. It infected almost 6000 machines connected to the Internet running Sun OS and UNIX. This figure may not sound alarming today when there are millions of machines connected to the net but it was a total chaotic situation then when the ration of infected machines to the total was substantial.
The most important characteristic of a worm is that it must be able to send one or more executable program/s to target client machines connected to a network before it can function. After the worm establishes itself, and is executing on a new machine, it can then spread to other machines on the Internet. Earlier versions of Win 95 (OSR1) did not provide remote execution facility and hence the number of worms for the PC platform was few. But today, worms are lot more intelligent than they used to be. Written mostly in Visual Basic script (VBScript), they today use intelligent algorithms to avoid detection and promote mass spread.
Today, worms use email clients as their mode of infection. The actual modus operandi may vary from worm to worm. I take the case of kak.worm to illustrate the way a worm spreads and executes:
Method of Infection
Kak.worm consists of the main .vbs file Kak.htm which resides in the Windows folder along with Kak.reg which contains all the configuration of the worm. This attaches the kak.htm as a signature to all outgoing mails of the infected computer. This signature is not visible and it needs not be executed in order to get infected as uses the loophole in Outlook Express preview window. So as soon as you view the mail, you are infected.
How does the Worm work?
The worm adds a .HTA file in the Windows/system folder. There is a registry key in the Run folder (Run Regedit.exe and then go to Local Machine/software/Microsoft/Windows/Current Version/Run) which starts this HTA file each time Windows starts or reboots. Also the Autoexec.bat is modified and a entry is added in the startup folder. So it attacks from 3 directions (registry, autoexec and startup), in case one fails.
What does it do?
As said earlier, it does not cause data loss. It gives an irritating Driver Memory Error on startup and sends itself along with all your emails.
How do I remove it?
Change Folder options to show all files. Then deleted kak.htm and kak.reg from windows folder and the .hta file from system folder. Then remove the registry key of the .hta file from the previously specified location. Delete the startup entry and the entry in the Autoexec.bat. If you are not comfortable with registry editing, you can go to Symantec.com and search there for kak.worm. They have a patch to remove kak. To fix the Outlook Express preview loophole go to Microsoft.com. There are lot of valuable resources on viruses on the Net. Check the Virus section of links. Also searching for kak.worm on Google.com may give you what more you are looking for.
Next time, we shall take a look on Email Virus Hoaxes. Till then hang on.