----- Message d'origine -----
Envoyé : dimanche 16 avril
2000 19:58
Objet : TR: KakWorm
This email is about the KakWorm virus and how to remove it.
It is not very difficult to remove but you must follow the instructions
exactly and don't go ahead if you don't feel confident. I suggest that
you print out this email because you must not use or open Outlook Express
when you are following the procedure. About
the KakWorm Virus: The Wscript KAK Worm first
appeared in December 99. It is a worm/virus that attacks systems using
Outlook Express. It uses a known security vulnerability to attach itself
to every email sent from an infected system. It is written with Javascript
and it attacks both the English and French versions of Windows 95/98, if
Outlook Express 5 is installed.What makes this worm
unique is its ability to infect a system by someone simply reading or previewing
an email message. The worm hides in the HTML of the email itself. When
the message is previewed or opened by the recipient, the worm automatically
takes control and infects the computer.The worm has
another potential side effect as well. On the 1st day of any month and
when the hour is 5pm, the message "Kagou-Anti-Kro$oft say not today!" is
displayed and Windows is sent a command to shut down. You may also see
a "Driver Memory Error" occur when starting Windows. Once you have followed
the removal instructions, your computer cannot be infected by KakWorm again.
How to remove KakWorm
Close all programs before you start. Print out this message
before you begin because you must not open or use Outlook Express while
you are going through this procedure. Read them through before starting.
1) Download and then run the Microsoft patch for Windows
95/98 available at http://www.microsoft.com/technet/security/bulletin/ms99-032.asp2)
In Windows Explorer go to View, Folder Options, View and then under the
heading Hidden Files select "Show all file types".Also
untick the box "Hide file extensions for known file types". (This is how
it is done on Windows 98 - if it is different on Windows 95, press the
Start button, select Help and in the Index look up Hidden Files - it should
tell you how to reveal them).
3) Still in Windows Explorer, look in the C drive (C:\)
- it includes things like My Documents. There should be a file called AUTOEXEC.BATRight
click on AUTOEXEC.BAT and select Edit. Then delete only the following lines
from it:
@echo off > C:\Windows\STARTM~1\Programs\StartUp\kak.hta
del C:\Windows\STARTM~1\Programs\StartUp\kak.hta
4) Still in Windows Explorer, carefully look for
files called ae.kak, kak.hta or kak.htm, first in C:\WINDOWS, then also
in C:\WINDOWS\Start Menu\Programs\StartUp. If you find any, delete them.
5) Now delete the .hta files in C:\WINDOWS\SYSTEM. They
generally have a name like 74F03760.hta and are about 4 or 5 KB in size.
You must look for them carefully - it takes some time to go down the list.
NB There may be some .hta files which are not from the virus so don't just
delete all of them.
6) Now close Windows Explorer and open Outlook Express.
Select Tools, Options, Signatures and remove any Signature which is there.
If you have any other identities in OE then do the same for them.
7) Now close Outlook and switch off the computer. Next
time you switch it on, look to see if the Driver Memory Error message still
appears. If it does, the KAK virus is still there but hopefully it won't
be.
8) Finished!
