ARCHIVED: What is the Kak worm, and how can I remove it from my computer?

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

Kak is a worm that spreads using a security hole in the signature file in Microsoft Outlook Express. Although this worm can be forwarded or detected in email messages on a Windows NT, 2000, or XP system, it infects only Windows 95, 98, and Me systems. Once Kak infects Outlook Express, it will send copies of itself with every email message you send. The recipients' computers will not be infected unless they use Outlook Express.

Unlike other common worms and viruses that are spread via email messages, the Kak worm does not require the recipient to open an attachment to infect the computer. Simply reading the infected email message will cause the worm to infect the system.

Note: Microsoft has patched this security hole. The patch is available at:

  http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm

A computer infected with the Kak worm will shut down on the first day of the month at 5pm, after displaying the following message:

"Kagou-Anti-Kro$oft says not today!"

How to remove Kak

Note: Symantec has created an interactive tutorial to aid in removing Kak. Please see: 

  http://www.symantec.com/techsupp/virusremoval/virusremoval_info_tutorial.html

Symantec also offers a Wscript.Kakworm Removal Tool, which is the preferred method for removing Kak. For this tool, please see: 

  http://www.sarc.com/avcenter/venc/data/wscript.kakworm.fix.html

If you would prefer to remove the worm manually, follow these steps:

  1. Delete the following files from your computer if they exist. Depending on when the worm infected your computer and whether or not you've restarted the computer since it became infected, some of the files may not exist on your computer. Also, the variable (filename) changes from one system to another. 
      C:\Windows\kak.htm
  C:\Windows\System\(filename).hta
  C:\Windows\Start Menu\Programs\Startup\kak.hta
  C:\Windows\Menu Demarrer\Programmes\Demarrage\kak.hta
  2. Kak also edits the registry. It changes your default Outlook Express signature file using the following key: 
      HKCU/Identities/<Identity>/Software/Microsoft/Outlook/Express/5.0/signatures
    You should be able to modify this key without editing the registry by setting up a signature file in Outlook Express. If you don't want to use a signature file, you can remove it immediately after creating it.
  3. Kak also adds this key, which activates the automatic shutdown on the first of the month: 
      HKLM/Software/Microsoft/Windows/CurrentVersion/Run/cAgOu
    To delete this key from a Windows 98 computer without editing the registry, use the System Configuration utility. Follow these steps:
    1. Click Start, then select Run....
    2. Type msinfo32 and click OK.
    3. From the Tools menu, select System Configuration Utility.
    4. Click the Start tab and uncheck the box next to cAgOu.

    If you have Windows 95 and cannot use the System Configuration utility, you will have to edit your system registry manually using regedit, the Windows Registry Editor. If you are unfamiliar with the Registry Editor, you may want to seek out your computer support provider to help you remove the following key from your system registry: 

      HKLM/Software/Microsoft/Windows/CurrentVersion/Run/cAgOu

  4. After disinfecting your computer, you should run the security update from Microsoft. This update will protect you from re-infection and from other similar worms and viruses. You can find it at: 
      http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm
  5. If you have drivers or programs that load from your autoexec.bat file (most people don't), they may not run properly after infection with the Kak worm. This is because the worm replaces your autoexec.bat file and copies the original to C:\AE.KAK. To restore your original autoexec.bat, rename c:\AE.KAK to c:\autoexec.bat.

More information

For more complete technical information about this worm and the security hole it exploits, see the following web sites: 

  http://service1.symantec.com/SARC/sarc.nsf/html/Wscript.KakWorm.html

  http://www.f-secure.com/v-descs/kak.shtml

  http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=10509

  http://www.microsoft.com/technet/security/bulletin/ms99-032.mspx

This is document aiku in the Knowledge Base.
Last modified on 2018-01-18 12:46:01.