Trojan:JS/Kak.gen is the generic detection for samples of a malware that may spread via e-mail. However, since its spreading mechanism is via an exploit to software that is no longer available, all current samples are effectively trojans.
Installation
Once executed, Trojan:JS/Kak.gen creates a copy of itself in the system as:
<startup folder>\kak.hta
Note - <startup folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.
Its presence in the startup folder ensures that it is run every time Windows starts.
It also modifies the file autoexec.bat to launch its copy. The original autoexec.bat file is saved in the system drive as ae.kak.
It also creates a copy of itself in the system as:
<system folder>\<identity>.hta
where <identity> is the value for the registry entry 'Default User ID' taken from the subkey HKCU\Identities.
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It then modifies the system registry to enable this malware copy to run every time Windows starts:
Adds value: "cAg0u"
With data: "<system folder>\<identity>.hta"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spreads Via...
E-mail messages
Trojan:JS/Kak.gen may spread by creating a copy of itself in the system as %windir%\kak.htm. This malware then configures Microsoft Outlook to use this HTM file as the default signature in all outgoing HTML-formatted e-mail messages by running a dropped file called %windir%\kak.reg.
However, to successfully spread, this malware uses a vulnerability in Internet Explorer 4.0 and 5.0 as discussed in Microsoft Security Bulletin
MS99-032. Both of these Internet Explorer versions are no longer supported by Microsoft; therefore this spreading routine is no longer effective.
Additional Information
If the date is the first of the month and the time is 5:00 pm, Trojan:JS/Kak.gen displays the following text and shuts down the computer:
"Kagou-Anti-Kro$oft says not today !"
Analysis by Patrik Vicol
