Good morning all,
a follow up on the previous hard luck story. If you go to this address in
the Symantec (norton) website, you will find two downloads that will check
your system for two seperate manifestations of Kakworm. I downloaded both of
them to my 'download' directory, then found them back in there through
'windows explorer, and executed them by double click. they both told me that
my system is clean, which was very reassuring, alternately it may tell you
that 'your computer is successfully restored'. You can also feel good about
that: you had a problem but it is fixed, or it may tell you that you have
problems it can not fix.
I suggest you read the below page carefully, follow the procedure, and - if
you haven't done so yet - install the patch I referred to earlier.
Leave the two fixer downloads in your directory: when in doubt you can run
them again.
Good luck, rgds John
http://www.sarc.com/avcenter/venc/data/kak.worm.b.removal.html
© 1995-2001 Symantec Corporation.
All rights reserved.
Legal Notices
Privacy Policy
Kak.Worm.B Fix
The KAK.Worm.B fix tool only works under Windows 9x or Windows NT operating
systems
To use the tool, we recommend you download the fixkakb.exe file to your
Windows desktop or to a folder on your hard drive. After the file finishes
downloading:
Close all programs.
Double-click the file fixkak.exe to run it. A Repair Tool dialog box will
appear.
Click Remove. One of the following three messages will appear after you
click Remove:
Your computer is not infected. (Your system is safe, and you do not need to
do anything.)
Your computer has been successfully restored. (The worm has been removed,
and your system is now free of the damaged done by the worm.)
An error occurred during execution of this program. (The removal tool has
encountered a problem that it cannot fix. You will need to manually remove
the virus. Refer to this page for manual removal instructions.)
What the tool does
The tool searches for the DAY.HTA file dropped into the Start up directory.
If the file is present, the tool will delete it.
The tool will remove the DEFAULT.HTM, if it exists, from the Windows Command
directory.
The tool will restore the original AUTOEXEC.BAT from the DAYS.DAY created by
the worm. The tool will delete DAYS.DAY after the restoration.
The tool will check cDays value in the Run registry key. If the value
present, then the tool will extract the string form this value (string
contains the name of the file dropped into the system directory) and delete
the value. Then the tool will delete the file, whose name was extracted from
the cDays value.
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
The tool will enumerate through all the keys under HKCU\Identities,
searching for the Default Signature value in the Signatures key for Outlook
Express 5.0. The tool will delete this value, if it was found.
HKEY_CURRENT_USER\Identities\???\Software\
Microsoft\Outlook Express\5.0\Signatures
??? represents all the possible subkeys of HKCU\Identities
The tool will delete the 00000000 sub key created by virus, if sub key is
present.
HKEY_CURRENT_USER\Identities\???\Software\Microsoft\
Outlook Express\5.0\Signatures\00000000
NOTE: The tool is unable to restore the default signature for Outlook
Express if existed before being infected. The worm does not save this
information.
Download: fixkakb.exe
fixkakb.exe is digitally signed. Symantec recommends only using copies of
fixkakb.exe that have been downloaded directly from this site. The following
tool is available to verify the digital signature of fixkakb.exe:
File: chktrust.exe
To verify the digital signature of fixkakb.exe using chktrust.exe:
Download chktrust into the same directory where fixkakb.exe is located.
Launch the MS-DOS prompt via the Start/Programs/MS DOS prompt menu.
Change to the directory where fixkakb.exe and chktrust.exe are stored. If
the files were saved to the desktop folder the command to enter in the MS
DOS prompt is:
cd \windows\desktop
Type the following command to check the digital signature of fixkakb.exe:
chktrust -i fixkakb.exe
If the digital signature is valid you will see a dialog asking the following
question:
Do you want to install and run "Fix Utility B" signed on 08/10/2000 1:06 PM
and distributed by Symantec Corporation?
The date and time that are displayed in this dialog will be adjusted to your
timezone if your computer is not set to the Pacific time zone. For example,
if you live in the Eastern time zone the date and time you will see will be
08/10/2000 4:06 PM.
You may also see a DOS box with the entry
"c: Result:0" (without the quotes) . If you do, then the test was positive
and the file is confirmed as being from Symantec.
If the above messages do not appear or the date and time are not properly
adjusted for your timezone on the original message then do not use your copy
of fixkak.exe. It is not from Symantec.
If dialogue from steps 5 and 7 above appear and the text is correct for your
timezone per step 6, this copy of fixkakb.exe is from Symantec.
Click the "Yes" button to dismiss the chktrust dialog.
Type exit and then press the enter key. This will terminate the MS DOS
session.
Updated: October 05, 2000
Tell a Friend about this Write-Up
Security Updates
Symantec AntiVirus Research Center and SWAT
Download Virus Definitions
Keep your protection up to date
Virus Encyclopedia
Search for Information on Viruses, Worms and Trojan Horses
Virus Hoaxes
Information on Virus Hoaxes
Newsletter
Email Sent from the Symantec AntiVirus Research Center
Virus Calendar
Monthly Calendar Listing Trigger Dates for Viruses
Reference Area
Learn About Virus Detection Technologies
Submit Virus Samples
Send Suspected Threats for Review
----- Original Message -----
From: John Homan
To: Young, Philip ; WILSON NAOMI ; Wex, Val ; Thompson, Kylie ; Stonier
Russell ; Stehlik Daniela ; Stark, Wayne ; Spencer, Nancy ; Searles Roz ;
Schroor, Sirk & Jenny ; Schnick, Yvonne ; Schick, Joselyn ; Saunders, Nick &
Jill ; Rodgers, Steve ; Bert & Desley Rial ; Qiuinn, Des ; Sue Pullar ;
Pidgeon, Jennie ; Patterson, Mark ; McVilly, Keith ; Martin, Stephen ;
Macrae, Campbell ; Ludwig, Bill ; Leipoldt, Erik ; Lang, Bill ; Michael KNOX
; Kennedy Mark ; Jones Ken ; Joachim, Ron ; Hutcheon Rod ; Heyen, Heather ;
Herbert, Cathy ; Henry, Maree ; Jeff Heath ; Harris Sue ; Harle, Dion ;
Graham, Sara ; gihan ; Frisch, Jack ; Ebelt, Len ; Dennien, Karen ; Den
Exter, Artie ; Davidson, Gail ; Crowley, Jan ; jack crigan ; Charlie
Covington ; Copping, Lorraine ; Cooper, Roz ; Conway, Tony ; Colyer, Lyn ;
Collins, Suzan ; Carroll, Mary ; Byrne, Anjel ; Burridge Robyne ; Brockie,
Maree ; Brett, Mike ; Boyd, Janet ; Bowser, Kerrie ; Boorman, Fiona ;
kathryn boles ; Eric Boardman ; Bennett, Ian & Pamela ; Beazley, Barbara ;
Beasley Steven ; Richardson Angela ; Alexander, Dianne ;
[log in to unmask] ; [log in to unmask] ; [log in to unmask]
Sent: Monday, January 22, 2001 10:35 PM
Subject: stitch in time: virus protection
Good morning all,
This is a miserable story with - I hope - a happy ending.
Last week I spent $A120 to have a version of 'kak worm' removed from my
computer system, after it did some unspeakable things and caused me much
grief. I had been relying on Nortons for protection which proved futile: it
did not pick the contamination.
With the help and advice of friends I have taken some actions that I believe
will make my system safer, and I offer them here for your consideration:
The conventional wisdom is that viruses travel with attachments. To make the
system more secure against that I installed Inocculate and set up some
routines to make it easy to check attachments for viruses.
It then came as a shock to me to find that worms attach themselves to email
addresses, and propagate that way. There is a weakness in Internet
Explorer - a wormhole? - that allows this to happen. Fortunately MS have
developed a 'patch' which can be downloaded (for free) which when installed,
will close this loophole.
It can be found at the following address:
http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm
Just follow the prompts.
Install InocculateIT
Un-install your present antivirus programme: my computer > controlboard >
install/un-install software.
Create a new directory: C:\ download
Download from: http://antivirus.ca.com - file: IPESetup.exe to download
directory.
Access IPESetup.exe in the download directory, and double click. Then just
follow the prompts
Write down your Customer number
Viruses & attachments
Do not open attachments:
Create new directory: C:\ program files\ internet explorer\ dirty linen
Create shortcut for dirty linen on desktop
Open email > right click on attachment > save as > dirty linen > save
Access dirty linen > higlight attachment (if more than one: > edit > select
all) > right click > InoculateIT PE > clean/dirty verdict
Access viruslog.txt - C:\ program files\ InocculateIT PE\ viruslog.txt
Create shortcut for viruslog.txt on desktop.
Good luck, rgds John
________________End of message______________________
Archives and tools for the Disability-Research Discussion List
are now located at:
www.jiscmail.ac.uk/lists/disability-research.html
You can JOIN or LEAVE the list from this web page.
|