 |
|
| Automated PC Solutions |
| VACM - Virus Alerts for the Common Man |
|
|
||||
|
||||
| VACM Home | APCS Home | Links | ||
|
||||
|
||
|
||
 |
||
|
||
|
||||||||||||||||||||||||||||||||||||||||||
In this issue:
------------------------------------
1. The KAK virus fires up on the 1st of the month
Are you being Kak'd?
The Bottom Line
-----------------------------------------------
Kak is a Javascript Worm received via email
On the first day of each month, if
it is 1800 (6pm) hours or later, an alert box will
be displayed and Windows will be shut down.
Kak affects English and French versions of
Windows 95/98 running Outlook Express 5.0
Many antivirus softwares do not completely
rid your system of the Kak virus,
allowing reinfection to happen.
What You Should Do
-----------------------------------------------
Run the Kak removal tools (below)
Install the Microsoft patch (below)
Removing KAK Automatically
-----------------------------------------------
There are two variants of the Kak virus in the wild.
You may have the Wscript.KakWorm or the
Wscript.KakWorm.B variant.
Symantec has published tools to remove both versions
and, for your convenience, we have made them both
available from our own servers.
Download both tools and save them to your Desktop
(or some other folder on your hard drive). It might
be a good idea to make a folder called VirusTools so
that you can keep these around in the event that your
get reinfected.
Run each tool as described here:
1. Close all programs.
2. Double-click the file FixKak.exe to run it.
A Repair Tool dialog box will appear.
3. Click Remove. One of the following three messages
will appear after you click Remove:
"Your computer is not infected."
(Your system is safe, and you do not need to
do anything.)
"Your computer has been successfully restored."
(The worm has been removed, and your system
is now free of the damaged done by the worm.)
"An error occurred during execution of this program."
(The removal tool has encountered a problem
that it cannot fix. You must manually remove
the virus. Refer to the instructions below for
manually removing the KAK virus.)
4. Repeat the process, this time running the FixKakB.exe
IF BOTH TOOLS HAVE RUN SUCCESSFULLY, DO THIS:
Your inbox is likely full of Kak infected emails.
Before doing ANYTHING else, please install the
patch from Microsoft to avoid reinfecting yourself
and others. We have made the patch available on
our servers for your convenience. Get it here:
Save the patch to your desktop (or some other folder
on your hard drive) and run it to install the patch
for Outlook Express.
The final thing you should do to protect from KAK and
other mail viruses is follow the instructions we
have provided for changing a few of your default
Windows settings. These are one time changes and well
worth the small amount of time it will take to do them.
"Do this first..." article
"Disable Your Preview Pane Now!" article
"Disable hiding of file extensions" article
IF THE TOOLS WERE UNABLE TO REMOVE KAK, DO THIS:
Manually Remove KAK
--------------------------------------------------
Follow these step-by-step
instructions to rid yourself of the infection and
prevent future infections from occurring.
1. Set the Restricted Sites security zone to disable all
ActiveX. (In fact, I would disable Java while there).
Do this from Internet Explorer by selecting the
following menu items:
Tools | Internet Options | Security | Restricted
Sites | Custom Level
Note: Just setting the restrictions to High will not
work. You must choose Custom Level and scroll through
the list making the necessary changes. If you are
unable to follow this step, it may be a good idea
to ask an experienced friend for assistance.
2. Open Outlook Express (if not already open) and add
it to the Restricted Zone. Do this by choosing
Tools | Options | Security
and select the Restricted Zone.
3. Also from Outlook Express, go to
Tools | Options | Signatures.
If there are any signatures listed, click on them
and choose remove. Do this for every signature
listed. If you use the signature feature of OE,
you will need to recreate them when you
have finished disinfecting your system. You need
to repeat this step for each identity used in
Outlook Express. You can switch to the different
identities by choosing
File | Identities | Switch Identities
4. Using Windows Explorer, or at a command prompt,
browse to C:\Windows and delete the file: Kak.htm.
5. Using Windows Explorer, or at a command prompt,
browse to C:\Windows\System and delete any .hta files
found that are preceded by a combination of
characters A-F and 0-9 or are 4116 bytes in size.
NOTE: These are hidden files; in order to see
them you will first have to change the hidden
attribute. If using the DOS command prompt, use
the ATTRIB command. If using Windows Explorer,
go to
Tools | Folder Options | View,
and select "Show hidden files and folders".
6. In the root of C:\, rename your AUTOEXEC.BAT
file to AUTOEXEC.OLD and rename AE.KAK to
AUTOEXEC.BAT. (Or you can edit the existing
AUTOEXEC.BAT to remove the two lines pertaining
to KAK).
7. Delete KAK.HTA from the Windows\Startup folder.
Do this by right-clicking on the Start button,
then click "Open". In the window that comes up,
double-click on the "Programs" folder. Look
for the "Startup" folder and double-click it.
You should now see the contents of the
"Startup" folder. These are all programs that
start automatically when you boot up your PC.
If you see "Kak.HTA" or any other ".HTA" file,
delete it. When done, close the window.
8. Clean Kak from your system registry. Do this
by clicking START | RUN, then type MSCONFIG as
the program to run and press
the "Startup" tab and look at each item in the
startup list. You are looking for one that says
"cAg0u" and you may have to scroll to the right
to see the entire lines in the startup list.
WARNING: if you find "cAg0u", remove the check
mark from it, but DO NOT remove any other check
marks from the other startup items as you will
risk damaging Windows, possibly to the point
where it will not boot.
9. Reboot the PC. Watch the Windows startup sequence
carefully. If you see "Driver Memory Error"
appear very briefly in the taskbar, you missed a
part of the above process and should repeat the
steps again.
10. If you do not follow this next step, reinfection
is very likely to reoccur! Remember, Kak can
infect simply by previewing a message. Refer to
the "Disable Your Preview Pane Now!" article
in the VACM Archives at:
11. Your inbox is likely full of Kak infected emails.
Before doing anything else, please install the
patch from Microsoft to avoid reinfecting yourself
and others. Get the patch from here:
The final thing you should do to protect from KAK and
other mail viruses is follow the instructions we
have provided for changing a few of your default
Windows settings. These are one time changes and well
worth the small amount of time it will take to do them.
Best Regards,
Marc Deschenes, VACM Editor
The VACM Project at
Automated PC Solutions
|
*** Be sure to check out the appendix at the end of this alert
******** APPENDIX - Handy How-To Tips ********** * How To Boot into Safe Mode Shut the computer down so that the power is off.
|