VBS KAK WORM VIRUS

Think you got it?

    Here is a listing of the symptoms seen so far.

The Virus*

Name: Kak
Alias: Wscript.KakWorm, KakWorm

    WScript.KakWorm is a worm that attaches itself to every email sent from the infected system. It is written with JavaScript and it works on both English and French versions of Windows 95/98 if Outlook Express 4 or 5 is installed or Microsoft Outlook.

    The worm uses a known security vulnerability in both Outlooks. When an user receives an infected email message, the worm creates a file "kak.hta" in the Windows Startup directory.

    When the system is restarted, the worm activates. It replaces "c:\autoexec.bat" with a batch file that deletes the worm from the Startup directory. The original "autoexec.bat" is copied to "C:\AE.KAK".

    It also modifies the message signature settings of both Outlooks, replacing the current signature file with the infected file, "C:\Windows\kak.htm".

    NOTE: A signature file is the text that is tacked on to the end of every e-mail sent. (Containing your name, address, phone number, e-mail address, ect.)

    Therefore every message sent with Outlook Express or Microsoft Outlook after that will contain the worm.

    Next it modifies the Windows registry in a such way that it will be executed in every system startup. On first day of each month if the time is 1700 (5:00pm) or later, the worm will show an alert box with the following text:

Then the worm causes Windows to shut down.

*Information courtesy of www.virusencyclopedia.com.

How do you get rid of it?

    In your C:\ directory, if you have a file called AE.KAK, delete your Autoexec.bat and rename the AE.KAK to Autoexec.bat. Why? The AE.KAK is actually the uninfected version of your Autoexec.bat file.

    Open Microsoft Outlook or Outlook Express, whichever you use. In Outlook Express 5.x, under Tools-Options, look for a menu tab named Signature. Under Edit Signatures, it will probably have the File button checked with a file name in the box: c:\windows\kak.hta  Remove that filename. Unfortunately, your previous mail signature might have been deleted. So you will have to re-enter that. Microsoft Outlook is a bit of a different bugger.  Depending on the version of MS Outlook you use, the placement of the Signatures customization will be different. Like Outlook Express, you will need to remove the kak.hta from your signature file.

    Open "My Computer" and click on "View-Folder Options". If you are running Windows 95 or the first edition of Windows 98, the first screen you see should have at the top a Show All Files selection. Check that then close that window and the My Computer window. In Windows 98 Second Edition, the window that pops up with have three menu tabs along the top. In the "View" tab, there will be three choices regarding Hidden Files. "Do not show Hidden Files", "Do not show Hidden or System Files" and "Show all files". You need to select "Show All Files" to be able to remove this virus successfully. Press "Apply" and close those two windows.

    Goto "START-Find-Files & Folders". In the named box type kak.*;*.hta, make sure you have "My Computer" selected in the "Look In" box.  It will search your computer for all files that start with kak or end with hta-the common extension for this virus file. Here is a list of possible files it will find:

    The last item will be an alphanumeric file ending with .hta in your "C:\Windows\System" folder. The latter file has also been known to be a rendition of the infection date. (010101.hta for Jan 1st, 2001) From the "Find" window, you can delete these files directly. Close the Find window and Empty your Recycle Bin!!! If you don't, you risk the chance of the virus coming back.

NOTE: If you feel confidant that you can redo the steps above, now would be the time to look for the infected e-mail. If you can narrow down the date when you received the mail, that will help greatly. If not, here's what to do...

   Open up your e-mail program. Open an e-mail...then close it. If that was the infected e-mail, then the kak.hta file will have returned to your START-Programs-Startup folder. If not, continue until you find the infected mail. Or, if you feel you do not need any of your e-mail between certain dates that the virus came in on, delete them all. I understand the need to keep past e-mail, but don't risk your system or others because you need information from a mailing. Print it out then delete it!

    Ok, you have just gotten rid of the nastiest part of the virus. The last part is VERY dangerous to do. Why? It requires editing your computer's registry for Windows. In brief, the Registry is like your DNA, it makes Windows operate, look and feel the way it's told to. The slightest mistake can wreck your machine, there is no Undo command, no chance of escaping out without saving because your changes are saved automatically. Don't worry too much, in Win98 and Win98se there is a 5 day registry backup. Win95 doesn't have an auto-backup unless you have installed a 3rd party program or the applet on the Win95 CD.

   If you do mess up your registry to the point the computer can no longer function properly, e-mail me and I can walk you through a hidden Win98 fix. I implore you, do not try to fix it yourself unless you know enough about the registry. Do not format or try to install/reinstall anything if your registry is screwed up, it will only make things worse.

    If you feel confidant, you can continue, for those of you who don't feel so sure, no worry, you got rid of the harmful part of the virus already.

    Here we go. With all of your other applications closed, goto Start-Run. In the box, type REGEDIT.  When this window opens up, it will look much like the one below.

    Open up the HKEY_LOCAL_MACHINE folder by clicking on the + not the folder! You will always click on the + in these instructions unless I say otherwise.

    Next, click on the Software +, then Microsoft's +, Windows' +, CurrentVersion's + and finally click on the Folder called RUN.  Looking at the right window pane you should see several items. One is a listing called "cAg0u", right click on this entry and delete it. Sometimes this listing may change slightly, it will still reference an *.hta file in the "c:\windows\system" directory. After that, close the Registry Editor and reboot your computer.  C'est fini!

Since July 10th, 2000 People have had this virus, and have successfully removed it.