----- Message d'origine -----
Envoy� : dimanche 16 avril 2000
19:58
Objet : TR: KakWorm
This email is about the KakWorm virus and how to remove it.
It is not very difficult to remove but you must follow the instructions
exactly and don't go ahead if you don't feel confident. I suggest that you
print out this email because you must not use or open Outlook Express when you
are following the procedure.
About the KakWorm Virus:
The Wscript KAK Worm first appeared in December 99. It
is a worm/virus that attacks systems using Outlook Express. It uses a known
security vulnerability to attach itself to every email sent from an infected
system. It is written with Javascript and it attacks both the English and
French versions of Windows 95/98, if Outlook Express 5 is
installed.
What makes this worm unique is its ability to infect a
system by someone simply reading or previewing an email message. The worm
hides in the HTML of the email itself. When the message is previewed or opened
by the recipient, the worm automatically takes control and infects the
computer.
The worm has another potential side effect as well. On the
1st day of any month and when the hour is 5pm, the message "Kagou-Anti-Kro$oft
say not today!" is displayed and Windows is sent a command to shut down. You
may also see a "Driver Memory Error" occur when starting Windows. Once you
have followed the removal instructions, your computer cannot be infected by
KakWorm again.
How to remove KakWorm
Close all programs before you start. Print out
this message before you begin because you must not open or use Outlook Express
while you are going through this procedure. Read them through before
starting.
1) Download and then run the Microsoft patch for Windows
95/98 available at http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
2) In Windows Explorer go to View, Folder Options, View and
then under the heading Hidden Files select "Show all file
types".
Also untick the box "Hide file extensions for known file
types". (This is how it is done on Windows 98 - if it is different on Windows
95, press the Start button, select Help and in the Index look up Hidden Files
- it should tell you how to reveal them).
3) Still in Windows Explorer,
look in the C drive (C:\) - it includes things like My Documents. There should
be a file called AUTOEXEC.BAT
Right click on AUTOEXEC.BAT and select Edit. Then
delete only the following lines from it:
@echo off >
C:\Windows\STARTM~1\Programs\StartUp\kak.hta
del
C:\Windows\STARTM~1\Programs\StartUp\kak.hta
4) Still in Windows Explorer, carefully look for files
called ae.kak, kak.hta or kak.htm, first in C:\WINDOWS, then also in
C:\WINDOWS\Start Menu\Programs\StartUp. If you find any, delete
them.
5) Now delete the .hta files in C:\WINDOWS\SYSTEM. They generally
have a name like 74F03760.hta and are about 4 or 5 KB in size. You must look
for them carefully - it takes some time to go down the list. NB There may be
some .hta files which are not from the virus so don't just delete all of
them.
6) Now close Windows Explorer and open Outlook Express. Select
Tools, Options, Signatures and remove any Signature which is there. If you
have any other identities in OE then do the same for them.
7) Now close
Outlook and switch off the computer. Next time you switch it on, look to see
if the Driver Memory Error message still appears. If it does, the KAK virus is
still there but hopefully it won't
be.
8) Finished!
