VBS/Kakworm-Z

Please follow the instructions for removing worms.

VBS/Kakworm-Z is a variant of the VBS/Kakworm worm.

The worm will run if the user has Internet Explorer, Outlook or Outlook Express, but it will only spread to other users if Outlook Express 5.0 is used to send email.

Even if you receive an infected message, you cannot be affected unless you have an Internet Explorer based product installed.

The worm arrives embedded in an email message as the message HTML signature. The recipient of the message cannot see any visible symptoms as there is no displayable text in the signature.

If the user opens or previews the infected email message, the worm drops file BAP.HTA into the Windows start-up folder. BAP.HTA runs the next time Windows is started, creating the C:\WINDOWS\BAP.HTM file and changing the Microsoft Outlook Express registry settings so that the BAP.HTM is automatically included in every outgoing message as a signature. The BAP.HTA also changes the Windows registry to execute itself and sets the Internet Explorer home page to the members page of www.ignifuge.com.

www.ignifuge.com is an advertising site whose members are rewarded if they persuade their friends/colleagues to visit the site.

Note: If full scanning is used to detect the worm in email, Sophos Anti-Virus will report it as Mid/Kakworm-Z. This is due to the infection technique used by the worm.