Information About and Procedure for
Removing the Wscript.KAKworm

About the VBS.KAKWorm

The Wscript KAK Worm is a worm/virus that attacks systems using Outlook Express. It uses a known security vulnerability to attach itself to every email sent from an infected system. It is written with Javascript and it attacks both the English and French versions of Windows 95/98, if Outlook Express 5 is installed.

What makes this worm unique is its ability to infect a system by someone simply reading or previewing an email message. The worm hides in the HTML of the email itself. When the message is previewed or opened by the recipient, the worm automatically takes control and infects the computer.

If neither Outlook Express nor MS Internet Explorer 5.0 are installed, the worm is not able to infect the machine. The worm has another potential side effect as well. On the 1st day of any month and the hour is 5:00pm, the following message is displayed and Windows is sent a command to shutdown. You may also see a "Driver Memory Error" occur when starting Windows.

kakwarning.jpg (17758 bytes)

What The Worm Does

Upon infection, the worm places a file called KAK.HTM in your C:\Windows directory and a temporary file with an .HTA extension in your C:\Windows \SYSTEM directory. It also places a file called KAK.HTA in your Startup directory.

Then the worm adds the following lines into your AUTOEXEC.BAT file and renames the original autoexec file to AE.KAK.

@echo off>C:\Windows\STARTM~1\Programs\StartUp\kak.hta
del C:\Windows\STARTM~1\Programs\StartUp\kak.hta

Next the worm adds the following changes into the Windows Registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \Currentversion\Run\cAg0u

This cAg0u file points to the temporary .HTA file dropped into the Windows\System directory earlier. The worm also adds the following line into the Windows Registry.

HKEY_CURRENT_USER\Identities\Software\Microsoft\Outlook Express\5.0\signatures\Default Signature

This default signature points to the KAK.HTM file loaded into the Windows directory. Every email that is sent after infection has this KAK.HTM embedded in the HTML of the email which spreads the worm to others.

 

How to Clean the KAKWorm from your System

Disclaimer

PLEASE: Do not try these steps if you are not comfortable deleting files. I claim no responsibility for you not understanding these steps or following them correctly.

Before cleaning, its a good idea to delete the actual emails in your Outlook Express program that have the virus. Otherwise when you preview the message again, the system will reinfect itself.

Once infected, do not reboot or restart your computer before cleaning, otherwise the infection will return.

Delete the following:

1) Delete the added lines in your AUTOEXEC.BAT file

@echo off>C:\Windows\STARTM~1\Programs\StartUp\kak.hta
del C:\Windows\STARTM~1\Programs\StartUp\kak.hta

or delete the autoexec.bat file and rename the AE.KAK file to AUTOEXEC.BAT

2) Delete the KAK.HTA file from the Windows Startup group as well as the c:\windows directory. Also delete the temporary .hta file which was placed in the c:\windows\system directory. This file generally has a name like 74F03760.hta. Although the temporary filename will never be the same, just delete the .hta files in the c:\windows\system directory. You may have to change your Folder Options to "Show All Files" in order to find these files.

3) Using REGEDIT, Delete the 2 added registry entries

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \Currentversion\Run\cAg0u

HKEY_CURRENT_USER\Identities\Software\Microsoft\Outlook Express\5.0\signatures\Default Signature

(Be sure the default signature entry points to the KAK file)

4) Download and Install the Microsoft patch for the security vulnerability that allows this worm to invade your system.

Automatic Removal Program for the KAK Worm

This KAK Cleaner program will automatically clean the KAK worm from systems. You can download it from either link below, then double-click on it to clean the KAK worm from your systems.

KAK Cleaner

KAK Cleaner (alternate site)


Although there are no guarantees that the worm will reappear by previewing another message. The above steps should disable the worm. By downloading the Microsoft security patch, if an infected message comes through again, you will be warned about it and Outlook Express won't activate the worm.

 

space.gif (58 bytes)

 

Search PCHell.com



 




Tools for Removing Spyware, Adware, and Malware


PC HELL
Other Pages

Spyware/Adware Removal Help

MSBlast.exe Worm Removal

Welchia (Dllhost.exe and SVCHost.exe) Worm Removal

Uninstall McAfee Instructions

Uninstall Norton Instructions

Uninstall Avast Instructions

Uninstall AVG Instructions

Uninstall Antivir Instructions

Uninstall Panda Instructions

How to Manually Run the Microsoft Malicious Software Removal Tool

Bloodhound.Exploit.6 Virus Removal

MyDoom Virus Removal

MiMail.C Virus Removal

Swen Worm Virus Removal

SoBig.F Worm Removal

Dumaru Virus Removal

BugBear.B Worm Removal

SoBig.E Worm Removal

Pop Up Ad Removal Info

KAK Worm Removal

MiMail.A Worm Removal

W95.MTX Virus Removal

Snow White Virus Removal

BadTrans Trojan Removal

Wininit Virus (Bymer Trojan)

Happy99 Worm Removal

VBS Netlog Worm Removal

Pretty Park Worm Removal

Sasser Worm Virus Removal

Backdoor SDBot.H Trojan Removal

VBS.Loveletter Help

Computer Security Information

Back Orifice Information

PC HELL Main Page

 






iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad



Download Hoyle Games
including Casino 3D, Card, Board, and Solitaire games.



Written by Mark Hasting

Recommended Software for PC Hell Visitors
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware
iolo System Mechanic® - Fix, Speed Up Your PC
iolo System Mechanic®
Emsisoft Anti Malware
Emsisoft Anti Malware
space.gif (58 bytes)

Search PCHELL.COM

Return to PC Hell
Return to PC Hell

Google