VBS.Kak.Worm
(Infects hypertext files sent to Microsoft
Outlook Express)
Delete the following files:
1. in windows delete kak.htm
2. in windows/system delete 898836E0.hta
3. in windows/start menu/programs/startup delete kak.hta
If you want to edit the registry
(please be careful!) you can delete the
following key
but I don't think it's necessary
if you've deleted the above files.
H_KEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run/cAgOu
You can also delete the references
to KAK in autoexec.bat (you find it by
going to windows/system
and double clicking on sysedit.exe).
To double check that you
aren't sending the virus, (in Outlook Express) go
to
tools>options>signatures
amd make sure that kak.htm isn't selected as the
sig file.
In order to close the security
loophole that allows infection by this kind
of virus (i.e. ones that
propogate themselves via email sig files) you can apply this patch
ftp://ftp.microsoft.com/peropsys/IE/IE-Public/Fixes/usa/Eyedog-fix/x86/q2403
08.exe
Note: Kak spreads via Email.
If you are infected, you'll have been
sending infected messages.
You should check your Sent Items folder
**after** applying **all**
the fixes below and Email warnings (and an apology!) to everyone you've
mailed since being infected.
Note^2: Too many descriptions
of how to deal with Kak ignore the fact that
infected users have mail
folders full of infected messages which will hit
them again next time they
are read **if the security hole Kak depends on is
not closed**. Thus,
when cleaning up Kak you **MUST** follow my advice about Outlook Express
security settings **AND** installing the MS security patch referred to
at the end of this message.
In the prescribed order -- don't ask why, just do it:
First, stop using that machine
for Email. In fact, close down all applications. In the instructions
that follow, start any mentioned application **only**
perform the stated configuration
changes then exit the application.
Second, check the Restricted
Sites security has *all*
ActiveX support set to *disabled*
(that prevents people choosing the wrong
option when given the choice
if "prompt" is set) and if not, set it that
way. You do this on
the Security tab of Tools/Internet Options in IE or the
Security tab of the Internet
Options control panel (they are both routes to
the same controls).
If you do not know how to check this, just select that
zone and click the "Default
Level" button to reset the defaults for that
zone -- they are near enough.
Third, set Outlook Express
so Email is considered to be in the Restricted
Sites zone. This is
on the Security tab of the Tools/Options dialog.
Fourth, delete the Signature
definition in Outlook Express for each
afflicted user identity
(if you do not know what that means, you *probably*
only have a single identity
so only need to do it once). In theory, it is
now safe to use Outlook
Express 5 for reading and sending Email -- but
don't...
Fifth, delete the files kak.htm
from the Windows folder and .hta from the
Windows system folder.
is an eight character string
representing a hexadecimal number -- i.e. it
consists of some combination
of the characters 0-9 and A-F. There could be
more than one of these files
-- they should be 4116 bytes in size --
delete them all. If
there is more than one, then you should find out about
Outlook Express user idetities
and tidy up the siganture settings of all
identities (that is more
aesthetic than necessary, as deleting the kak.htm
file effectively disables
the signatures anyway).
Sixth, edit AUTOEXEC.BAT
and delete the two lines involved in creating and
deleting kak.hta in the
Windows Startup folder. If AE.KAK exists in the
root of C: and no changes
have been made to AUTOEXEC.BAT since Kak infested
the machine, you can delete
(or rename) AUTOEXEC.BAT then rename AE.KAK to
AUTOEXEC.BAT (it is a Kak
install-time backup of AUTOEXEFC.BAT). Check the
Windows Startup folder and
delete any file there named kak.hta.
Restart the machine and watch
closely for a process called Drive Memory
Error that **only** appears
(and briefly) as a button on the taskbar. If
that happens, you missed
something or did it out of order. Start over. If
you get here a second time
and still have this process starting, please
Email me for further assistance.
Assuming that all has gone well, go to:
http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
read it and download the
offical MS patch that closes the security exploit
that Kak depends on.
After doing that, you can reset your Email security to
the Internet zone, although
I certainly do not recommend that!
After all this, you will
almost surely have one or more messages carrying
the Kak code in your Email
folders.
Unless MS re-introduces
the security hole Kak depends on in a future IE
update, those message won't
cause you any grief, though forwarding them to
others would be unwelcome.
Note also, that any copies to self you've kept
will also have active Kak
code in them. Short of getting a virus scanner
that can parse OE mail files,
the only vaguely satisfactory workaround to
the "problem" of possibly
forwarding an "infected" message is to configure
all your user identities
to send text-only Email rather than that HTML
rubbish that is the OE default.
Thus, setting text-only Email sending is a
*very good idea*.
Finally, you either need
to update your Anti-Virus protection (if you have
any), (it should have spotted
this virus for you) or uninstall it and
download e.g. InnoculatIT
at http://antivirus.cai.com/
This program is free and
can be updated fortnightly