The archaeology list - britarch - has recently been plagued by the kakworm
virus. This virus (worm) is transmitted in the signature attachments
generated by MS Outlook Express and opened aoutomatically by some e-mail
applications. I felt it was worth repeating the remedies given to britarch
list members, particularly the recommendations on tidying up Outlook and
disabling the signature attachments. I would encourage all members to
disable that latter option, what ever e-mail application you use, to help
prevent the transmission of viruses.
Peter
Kakworm
What is it, and how do I know if I've got it?
Technically, it isn't a virus, it's a worm; so it might not be found by all
(especially old!) Anti-virus programs. It affects English and French
versions of Windows 95/98 if Outlook Express version 5.0 is installed.
Basically it exploits a known security loophole in Outlook Express, so that
when you open an infected message or view it in the preview pane, it creates
a file "kak.hta" in the Windows Startup directory.
The worm is activated the next time the PC is switched on. The regular
"autoexec.bat" is switched sideways to "C:\ae.kak", and a new one created
with a couple of extra lines at the end. In addition, it modifies the
settings of Outlook Express, so that it will in future send messages with a
signature comprising an infected file "c:\windows\kak.htm" to your chosen
correspondent. It also modifies a key in the registry.
You'll know you have an infection if you can find files on your system
called "kak.htm" or "kak.hta". Use Windows Explorer to search for files
called "hta.*". You'll also find out because your friends with up-to-date
virus checkers will tell you!
2)So how do I get rid of it?
Remove the following three files:
c:\windows\kak.htm
c:\windows\system\[filename].hta where [filename]changes from PC to
PC
(you might find this easier if you arrange the icons in order of Type,
so that
any .hta file comes after the .drv files and before the .kbd files)
c:\windows\Start Menu\Programs\Startup\kak.hta
ou en francais
c:\windows\Menu Demarrer\Programmes\Demarrage\kak.hta
We then need to restore the rightful "autoexec.bat" as follows:
Check that you have a file called "C:\AE.KAK"
Delete C:\AUTOEXEC.BAT
Rename C:\AE.KAK as C:\AUTOEXEC.BAT
Finally we tidy up Outlook Express:
In Tools|Options|Signatures, blank out the signature file, tell it you'd
rather use Text, and that you don't want to use a signature anyway, and
Apply.
If you're happy hacking registry files, then MAKE A BACKUP and then delete
the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\cAg0u
but if not I reckon it's OK to leave alone.
You're machine is now clear of the kakworm, and will not pass it on to your
friends and colleagues.
To prevent future infection, in Outlook Express disable Active Scripting
(um, couldn't find this at first glance), and update your virus checker.
3)Useful references:
more explanation (if you can stand it) at
http://www.microsoft.com/security/Bulletins/MS99-032faq.asp
______________________________________________
Peter Claughton, Blaenpant Morfil, Rosebush, Clynderwen,
Pembrokeshire, Wales SA66 7RE.
Tel. 01437 532578; Fax. 01437 532921; Mobile 07831 427599
University of Exeter - Department of History
School of Historical, Political and Sociological Studies
E-mail: [log in to unmask]
Co-owner - mining-history e-mail discussion list.
See http://www.mailbase.ac.uk/lists/mining-history/ for details.
Mining History Pages - http://www.exeter.ac.uk/~pfclaugh/mhinf/
_____________________________________________
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|