First published: 31st March 2000
Irok and Kak worms spreading globally
Espoo, Finland, March 30, 2000; Hong Kong, China, March 31, 2000 - F-Secure Corporation, a leading provider of centrally-managed, widely distributed security solutions, is warning computer users about two new e-mail worms that are currently spreading rapidly in several locations around the world. The Irok and Kak worms both spread via e-mail as electronic chain letters, much like the infamous Melissa virus did exactly one year ago. F-Secure Anti-Virus will protect users against these new threats.
Allan Dyer, of Yui Kee Co., said, "We currently have no reports of these worms in Hong Kong. There are commonly differences in the distribution of these outbreaks - for example, Melissa had very little effect in Asia, but Ska (Happy99) is still quite common."
Technically, the Irok and Kak worms operate in very different ways, but both spread via Microsoft Outlook e-mail and are very widespread right now. The biggest difference to the end user is that Irok arrives in an attachment called IROK.EXE while Kak arrives in a normal e-mail which apparently has no attachment at all.
Both worms are only a threat to Microsoft Windows users and both worms only spread further via the Microsoft Outlook e-mail application.
The Irok worm spreads as a 10001-byte sized program called IROK.EXE. It works under Microsoft Windows 95, 98, NT and 2000. It replicates further via e-mail if Microsoft Outlook is available. It does not work with Outlook Express.
When IROK.EXE is executed, the worm modifies the system so that during next time the machine is started, the worm will send an e-mail message to 60 e-mail addresses found in Outlook's address books. These addresses can be addresses of individual people or group addresses (such as mailing lists).
The message that the worm spreads itself with looks as follows:
From: (name of the infected user)
To: (random e-mail address from address book)
Subject: I thought you might like to see this.
Text: I thought you might like this. I got it from paramount pictures website. It's a startrek screen saver.
Attachment: IROK.EXE
The virus also tries to locate the mIrc chat client and will attempt to modify it to spread the virus further via chat channels, and it infects COM and EXE program files found on the local hard drive.
Eventually, the virus will display a long message on the screen and will try to overwrite files on the hard drive.
The Kak worm is written in Javascript. It works under English and French versions of Windows 95/98; it does not work under Windows NT or Windows 2000. Kak replicates further via e-mail only if Outlook Express 5.0 is installed - it does not work with normal Microsoft Outlook.
The worm uses a known security vulnerability in Outlook Express to execute automatically when e-mail is viewed. Once the user receives an infected email message, and opens or views the message in the preview pane, the worm modifies the system in such a way that the next time the machine is started, the standard e-mail signature of the user is replaced with a HTML file infected by the virus.
As a result, every e-mail message after that will contain the worm and will infect the recipient's machine as soon as it is opened in Outlook Express.
The Kak worm activates on the first day of each month if the machine is restarted after 5 pm. At this time the virus will show this message:
Kagou-Anit-Kro$oft say not today!
After this, the worm will shut down Windows, but no permanent damage is done.
The Outlook Express security hole exploited by this worm can be closed by disabling "Active Scripting" in Outlook Express Preferences. Microsoft [NASDAQ: MSFT] has also done an update to fix this problem. The update has been available since August 1999.
"It is disturbing to see that virus writers continue to harass innocent bystanders with their creations," says Mikko Hypponen, Manager of Anti-Virus Research at F-Secure Corporation. "The virus writers have absolutely nothing to gain and everything to lose by writing these things. Obviously they learnt nothing from what happened to the author of Melissa."
Mr. David L. Smith, the alleged author of the Melissa e-mail worm that went around the world year ago (on March 28, 1999), has pleaded guilty to a second-degree charge of computer theft in December 1999 in New Jersey Superior Court. He faces a five to ten year prison term and up to a $150,000 fine.
Both Irok and Kak worms can be stopped with up-to-date anti-virus software. F-Secure Corporation has added detection of these worms to the latest version of F-Secure Anti- Virus.