Nick FitzGerald wrote in a newsgroup the following about KAK-virus
Assuming you have JS/Kak.A or one of the many trivial variants of it, the following may
help...
You have the virus (some call it a worm) known as
JS/Kak (aka WScript.Kak, Kakworm, VBS/Kak, etc).
Here are detailed and complete clean-up instructions.
Unlike most earlier instructions, including those posted by many antivirus vendors (who
are fixing theirs at my suggestion), these instructions not only remove Kak but explain
how to make your machine *immune* to re-infection from Kak, or infection from any future
viruses or worms that depend on the same security hole to get into a machine.Here are
Nick standard instructions...
These instructions not only remove the Kak-virus but explain how to make your machine
*immune* to re-infection from Kak, or infection from any future viruses or worms that
depend on the same security hole to get into a machine.
Note 1: Kak spreads via Email. Since you were infected, you'll have been
sending infected messages. You should check your Sent Items folder **after** applying
**all** the fixes below and Email warnings (and an apology!) to everyone you've mailed
since being infected.
Note 2: Too many descriptions of how to deal with Kak ignore the fact
that infected users have mail folders full of infected messages which will hit them again
next time they are read **if the security hole Kak depends on is not closed**. Thus, when
cleaning up Kak you **MUST** follow my advice about Outlook Express security settings
**AND** installing the MS security patch referred to at the end of this message.
In the prescribed order -- don't ask why, just do it:
First, stop using that machine for Email and News. In fact, close down
all applications. In the instructions that follow, start any mentioned application
**only** perform the stated configuration changes then exit the application.
Second, check the Restricted Sites security has *all* ActiveX support set
to *disabled* (that prevents people choosing the wrong option when given the choice if
"prompt" is set) and if it is not, set it that way.
You do this on the Security tab of Tools/Internet
Options in IE or the Security tab of the Internet
Options control panel (they are both routes to the same controls). If you do not know how
to check this, just select the Restricted Sites zone and click the "Default
Level" button to reset the defaults for that zone -- they are near enough.
Third, set Outlook Express so Email is considered to be in the Restricted
Sites zone. This is on the Security tab of the Tools/Options dialog.
Fourth, delete the Signature definition in Outlook Express for each
afflicted user identity (if you do not know what that means, you *probably* only have a
single identity so only need to do it once). These settings are on the Signatures tab of
the Tools/Options dialog.
In theory, it is now safe to use Outlook Express 5 for reading and sending Email -- but
don't...
Fifth, delete the files kak.htm from the Windows folder and
<name>.hta from the Windows system folder. <name> is an eight character string
representing a hexadecimal number -- i.e. it consists of some combination of characters
0-9 and A-F. There could be more than one of these files -- they should be 4116
bytes in size -- delete them all.
If there is more than one, then you should find out about Outlook Express user identities
and tidy up the siganture settings of all identities (that is more aesthetic than
necessary, as deleting the kak.htm file effectively disables the signatures anyway).
These files have the hidden file attribute set -- to see them you will have to change the
default settings in Explorer. If you are unsure how to do this, select Help from the Start
menu, click on the Index tab then, under Win95, enter "hidden files, viewing" or
under Win98 enter
"hidden attribute" and view the topic that is found.
Sixth, edit AUTOEXEC.BAT and delete the two lines involved in creating
and deleting kak.hta in the Windows Startup folder. If AE.KAK exists in the root of C: and
no changes have been made to AUTOEXEC.BAT since Kak infected the machine, you can delete
(or rename) AUTOEXEC.BAT then
rename AE.KAK to AUTOEXEC.BAT (it is a Kak install-time backup of AUTOEXEC.BAT). Check the
Windows Startup folder and delete any file there named kak.hta.
Restart the machine and watch closely for a process called
Driver Memory Error that **only** appears (and briefly) as a button on the taskbar. If
that happens, you missed something or did it out of order. Start over.
If you get here a second time and still have this process starting, please Email me for
further assistance. mailto:nick
Assuming that all has gone well, go to:
http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
read it, download then run the offical MS patch that closes the security hole that Kak
depends on. After doing that, you can reset your Email security to the Internet zone,
although I certainly do not recommend that!
After all this, you will almost surely have one or more messages carrying the Kak code in
your Email folders.
Unless MS re-introduces the security hole Kak depends on in a future IE update, those
message won't cause you any grief though forwarding them to others would be unwelcome.
Note also, that any copies to self you've kept will also have active Kak code in them.
Short of getting a virus scanner that can parse OE mail files, the only vaguely
satisfactory workaround to the "problem" of possibly forwarding one of these
"infected", saved messages is to configure all your user identities to send
text-only Email rather than that HTML rubbish that is the OE default.
Thus, setting text-only Email sending is a *very good idea*. Note that to set this
configuration fully, you must not only set Tools/Options/Send to "Plain text"
for the "Mail sending format", but also disable the "Reply to messages in
the format in which they were sent" option
(which is also on the Tools/Options/Send dialog).
|
