More info on KAK Worm removal..........copied and pasted from alt.comp.virus
.............
Note: Kak spreads via Email. Since you were infected,
you'll have been sending infected messages. You should
check your Sent Items folder **after** applying **all**
the fixes below and Email warnings (and an apology!) to
everyone you've mailed since being infected.
Note^2: Too many descriptions of how to deal with Kak
ignore the fact that infected users have mail folders
full of infected messages which will hit them again next
time they are read **if the security hole Kak depends on
is not closed**. Thus, when cleaning up Kak you
**MUST** follow my advice about Outlook Express security
settings **AND** installing the MS security patch
referred to at the end of this message.
In the prescribed order -- don't ask why, just do it:
First, stop using that machine for Email and News. In
fact, close down all applications. In the instructions
that follow, start any mentioned application **only**
perform the stated configuration changes then exit the
application.
Second, check the Restricted Sites security has *all*
ActiveX support set to *disabled* (that prevents people
choosing the wrong option when given the choice if
"prompt" is set) and if it is not, set it that way.
You do this on the Security tab of Tools/Internet
Options in IE or the Security tab of the Internet
Options control panel (they are both routes to the same
controls). If you do not know how to check this, just
select the Restricted Sites zone and click the "Default
Level" button to reset the defaults for that zone --
they are near enough.
Third, set Outlook Express so Email is considered to be
in the Restricted Sites zone. This is on the Security
tab of the Tools/Options dialog.
Fourth, delete the Signature definition in Outlook
Express for each afflicted user identity (if you do not
know what that means, you *probably* only have a single
identity so only need to do it once). These settings
are on the Signatures tab of the Tools/Options dialog.
In theory, it is now safe to use Outlook Express 5 for
reading and sending Email -- but don't...
Fifth, delete the files kak.htm from the Windows folder
and <name>.hta from the Windows system folder. <name>
is an eight character string representing a hexadecimal
number -- i.e. it consists of some combination of
characters 0-9 and A-F. There could be more than one
of these files -- they should be 4116 bytes in size --
delete them all. If there is more than one, then you
should find out about Outlook Express user identities and
tidy up the siganture settings of all identities (that
is more aesthetic than necessary, as deleting the
kak.htm file effectively disables the signatures anyway).
These files have the hidden file attribute set -- to see
them you will have to change the default settings in
Explorer. If you are unsure how to do this, select Help
from the Start menu, click on the Index tab then, under
Win95, enter "hidden files, viewing" or under Win98 enter
"hidden attribute" and view the topic that is found.
Sixth, edit AUTOEXEC.BAT and delete the two lines
involved in creating and deleting kak.hta in the Windows
Startup folder. If AE.KAK exists in the root of C: and no
changes have been made to AUTOEXEC.BAT since Kak infested
the machine, you can delete (or rename) AUTOEXEC.BAT then
rename AE.KAK to AUTOEXEC.BAT (it is a Kak install-time
backup of AUTOEXEC.BAT). Check the Windows Startup
folder and delete any file there named kak.hta.
Restart the machine and watch closely for a process called
Driver Memory Error that **only** appears (and briefly) as
a button on the taskbar. If that happens, you missed
something or did it out of order. Start over. If you get
here a second time and still have this process starting,
please Email me for further assistance.
Assuming that all has gone well, go to:
http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
read it, download then run the offical MS patch that
closes the security hole that Kak depends on. After doing
that, you can reset your Email security to the Internet
zone, although I certainly do not recommend that!
After all this, you will almost surely have one or more
messages carrying the Kak code in your Email folders.
Unless MS re-introduces the security hole Kak depends on
in a future IE update, those message won't cause you any
grief though forwarding them to others would be unwelcome.
Note also, that any copies to self you've kept will also
have active Kak code in them. Short of getting a virus
scanner that can parse OE mail files, the only vaguely
satisfactory workaround to the "problem" of possibly
forwarding one of these "infected", saved messages is to
configure all your user identities to send text-only Email
rather than that HTML rubbish that is the OE default.
Thus, setting text-only Email sending is a *very good
idea*. Note that to set this configuration fully, you
must not only set Tools/Options/Send to "Plain text" for
the "Mail sending format", but also disable the "Reply to
messages in the format in which they were sent" option
(which is also on the Tools/Options/Send dialog).
Hope this was helpful........
JOhn King
----- Original Message -----
From: Anna Lee, Principal <[log in to unmask]>
To: Anastasia Zafeirakopoulos <[log in to unmask]>; Amal Helou
<[log in to unmask]>; Julie Harrison - Hydrotherapy
<[log in to unmask]>; Cathy Nall - PIMS <[log in to unmask]>; Anne
Moseley - Neuro <[log in to unmask]>; Cherie Hearn - CardioThoracic
<[log in to unmask]>; Genevieve Dwyer - Paediatrics
<[log in to unmask]>; Sue Jones - Women's Health
<[log in to unmask]>; Susan Hillier - Neuro <[log in to unmask]>;
Annette Brown Gerontology <[log in to unmask]>; AFRM MM-Line
<[log in to unmask]>; Anna Sheppheard -MH <[log in to unmask]>; Anne
Paeds McCoy <[log in to unmask]>; APA Asha - membership
<[log in to unmask]>; NSW Branch <[log in to unmask]>;
QLD Branch <[log in to unmask]>; SA Branch
<mailto:[log in to unmask];;;;; TAS Branch
<[log in to unmask]>; VIC Branch <vic.
Sent: Wednesday, May 03, 2000 9:56 PM
Subject: Fw: KAK WORM REMOVAL AND IMMUNIZATION
>
> Hello Folks,
>
> I was sent a kak worm virus through the physio mailbase. I received the
> attached information from my (trustworthy) virus detector company, AVP. He
> said that it is impossible to get rid of it just by deleting even with
virus
> detectors. He advises this message be sent to all in your address book.
See
> below
>
>
> Cheers,
>
> Anna.
>
>
>
>
>
> Anna Lee
> Principal,
> Work Ready - Industrial Athlete Centre
> Physiotherapist and Occupational Health Consultant
>
> Write to me at [log in to unmask]
> Visit me at www.workready.com.au
>
> Snail mail:
> Suite 3, 82 Enmore Road,
> Newtown NSW 2042
> Australia
>
> Tel: (02) 9519 7436
> Mob: 0412 33 43 98
> Fax: (02) 9519 7439
> ----- Original Message -----
> From: "AVP Australia" <[log in to unmask]>
> To: <[log in to unmask]>
> Sent: Wednesday, 3 May 2000 19:43
> Subject: KAK WORM REMOVAL AND IMMUNIZATION
>
>
> >
> > KAK WORM REMOVAL AND IMMUNIZATION
> >
> > The Kak worm exploits a security hole in Microsoft Outlook Express.
> > While this hole is open, Kak will keep on re-infecting your PC faster
> > than you can disinfect it. Follow the steps below to eradicate Kak.
> > (Note that these steps MUST be taken in the correct order!)
> >
> > 1. Close down all applications, including any in the system tray. Start
> > the applications below ONLY to perform the appropriate configuration
> > changes, then exit the application.
> >
> > 2. Make sure the Restricted Sites security has ALL ActiveX support
> > disabled. Do this on the Tools/Internet Options Security tab in
> > Internet Explorer, or the Security tab of the Internet Options
control
> > panel. (If you don't know how to do this, just select the
Restricted
> > Sites Zone and click the "Default Level" button to reset the
defaults
> > for that Zone.)
> >
> > 3. Set Outlook Express so that Email is in the Restricted Sites Zone.
> > This is on the Security tab under Tools/Options.
> >
> > 4. Delete the Signature definition in Outlook Express for each user
> > identity. (If you don't know what this means, you probably have
> > only a single identity, so you will only need to do it once). The
> > settings are on the Signatures tab under Tools/Options.
> >
> > 5. Delete the files kak.htm from the Windows folder and <file>.hta
> > from the Windows system folder. <file> is an eight character
> > hexadecimal number ... i.e. it consists of a combination of the
> > characters 0-9 and A-F. Note that these files have the hidden file
> > attribute set. You will have to change the default settings in
> > Explorer to see them. If you are unsure how to do this, select
> > Help from the Start menu, click on the Index tab, then under
> > Windows95, enter "hidden files, viewing" or under Windows98
> > enter "hidden attribute", and read the topic. There could be
> > more than one <file>.hta. They are usually 4116 bytes in size.
> > Delete them all.
> >
> > 6. Edit autoexec.bat and delete the two lines which create and delete
> > kak.hta in the Windows Startup folder. If the file "ae.kak"exists
in
> > Drive C:\ then delete it.
> >
> > 7. Go to the Windows Startup folder and delete the file kak.hta, if it
> > exists.
> >
> > 8. Restart your PC and watch closely for a process called Drive
> > Memory Error which may appear very briefly as a button on the
> > taskbar. If this happens then you missed something or did the
> > steps out of order. You will have to start again from scratch.
> >
> > 9. Go to:
> > http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
> > Read the elert notice and download the official Microsoft patch to
> > close the security hole which allowed Kak to infect your PC in the
> > first place. After doing this you can reset your Email security to
> > the Internet Zone if you wish, although I recommend against it.
> >
> > You will almost certainly have one or more messages carrying the
> > Kak worm in your Email folders. Locate these with AVP scanner
> > and delete them ... they cannot be disinfected.
> >
> > Finally, I highly recommend that you configure all your identities to
> > send TEXT ONLY Email, rather than HTML default. To set this
> > configuration you must set Tools/Options/Send to "Plain text" for
> > the "Mail sending format" and also disable the "Reply to messages
> > in the format in which they were sent" option.
> >
> > It is a good idea to inform anyone you've emailed recently that
> > you may have sent them the Kak worm. (Send them a copy of
> > this message if you wish.)
> >
> >
> >
>
>
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|