ARCHIVED: What is the Kak worm, and how can I remove it from my computer?
Kak is a worm that spreads using a security hole in the signature file in Microsoft Outlook Express. Although this worm can be forwarded or detected in email messages on a Windows NT, 2000, or XP system, it infects only Windows 95, 98, and Me systems. Once Kak infects Outlook Express, it will send copies of itself with every email message you send. The recipients' computers will not be infected unless they use Outlook Express.
Unlike other common worms and viruses that are spread via email messages, the Kak worm does not require the recipient to open an attachment to infect the computer. Simply reading the infected email message will cause the worm to infect the system.
Note: Microsoft has patched this security hole. The patch is available at:
http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm
A computer infected with the Kak worm will shut down on the first day of the month at 5pm, after displaying the following message:
"Kagou-Anti-Kro$oft says not today!"
How to remove Kak
Note: Symantec has created an interactive tutorial to aid in removing Kak. Please see:
http://www.symantec.com/techsupp/virusremoval/virusremoval_info_tutorial.html
Symantec also offers a Wscript.Kakworm Removal Tool, which is the preferred method for removing Kak. For this tool, please see:
http://www.sarc.com/avcenter/venc/data/wscript.kakworm.fix.html
If you would prefer to remove the worm manually, follow these steps:
- Delete the following files from your computer if they exist.
Depending on when the worm infected your computer and whether or not
you've restarted the computer since it became infected, some of the
files may not exist on your computer. Also, the variable
(filename)
changes from one system to another.C:\Windows\kak.htm C:\Windows\System\(filename).hta C:\Windows\Start Menu\Programs\Startup\kak.hta C:\Windows\Menu Demarrer\Programmes\Demarrage\kak.hta
- Kak also edits the registry. It changes your default
Outlook Express signature file using the following key:
HKCU/Identities/<Identity>/Software/Microsoft/Outlook/Express/5.0/signatures
You should be able to modify this key without editing the registry by setting up a signature file in Outlook Express. If you don't want to use a signature file, you can remove it immediately after creating it. -
Kak also adds this key, which activates the automatic shutdown on the
first of the month:
HKLM/Software/Microsoft/Windows/CurrentVersion/Run/cAgOu
To delete this key from a Windows 98 computer without editing the registry, use the System Configuration utility. Follow these steps:- Click , then select .
- Type
msinfo32
and click . - From the menu, select .
- Click the tab and uncheck the box next to .
If you have Windows 95 and cannot use the System Configuration utility, you will have to edit your system registry manually using
regedit
, the Windows Registry Editor. If you are unfamiliar with the Registry Editor, you may want to seek out your computer support provider to help you remove the following key from your system registry:HKLM/Software/Microsoft/Windows/CurrentVersion/Run/cAgOu
- After disinfecting your computer, you should run the security update
from Microsoft. This update will protect you from re-infection and from
other similar worms and viruses. You can find it at:
http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm
- If you have drivers or programs that load from your
autoexec.bat
file (most people don't), they may not run properly after infection with the Kak worm. This is because the worm replaces yourautoexec.bat
file and copies the original toC:\AE.KAK
. To restore your originalautoexec.bat
, renamec:\AE.KAK
toc:\autoexec.bat
.
More information
For more complete technical information about this worm and the security hole it exploits, see the following web sites:
http://service1.symantec.com/SARC/sarc.nsf/html/Wscript.KakWorm.html
http://www.f-secure.com/v-descs/kak.shtml
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=10509
http://www.microsoft.com/technet/security/bulletin/ms99-032.mspx
This is document aiku in the Knowledge Base.
Last modified on 2018-01-18 12:46:01.