(Infects hypertext files sent to Microsoft Outlook Express)
Delete the following files:
1. in windows delete kak.htm
2. in windows/system delete 898836E0.hta
3. in windows/start menu/programs/startup delete kak.hta
If you want to edit the registry
(please be careful!) you can delete the
but I don't think it's necessary if you've deleted the above files.
You can also delete the references
to KAK in autoexec.bat (you find it by
going to windows/system
and double clicking on sysedit.exe).
To double check that you
aren't sending the virus, (in Outlook Express) go
tools>options>signatures amd make sure that kak.htm isn't selected as the
In order to close the security
loophole that allows infection by this kind
of virus (i.e. ones that propogate themselves via email sig files) you can apply this patch
Note: Kak spreads via Email.
If you are infected, you'll have been
sending infected messages. You should check your Sent Items folder
**after** applying **all** the fixes below and Email warnings (and an apology!) to everyone you've mailed since being infected.
Note^2: Too many descriptions
of how to deal with Kak ignore the fact that
infected users have mail folders full of infected messages which will hit
them again next time they are read **if the security hole Kak depends on is
not closed**. Thus, when cleaning up Kak you **MUST** follow my advice about Outlook Express security settings **AND** installing the MS security patch referred to at the end of this message.
In the prescribed order -- don't ask why, just do it:
First, stop using that machine
for Email. In fact, close down all applications. In the instructions
that follow, start any mentioned application **only**
perform the stated configuration changes then exit the application.
Second, check the Restricted
Sites security has *all*
ActiveX support set to *disabled* (that prevents people choosing the wrong
option when given the choice if "prompt" is set) and if not, set it that
way. You do this on the Security tab of Tools/Internet Options in IE or the
Security tab of the Internet Options control panel (they are both routes to
the same controls). If you do not know how to check this, just select that
zone and click the "Default Level" button to reset the defaults for that
zone -- they are near enough.
Third, set Outlook Express
so Email is considered to be in the Restricted
Sites zone. This is on the Security tab of the Tools/Options dialog.
Fourth, delete the Signature
definition in Outlook Express for each
afflicted user identity (if you do not know what that means, you *probably*
only have a single identity so only need to do it once). In theory, it is
now safe to use Outlook Express 5 for reading and sending Email -- but
Fifth, delete the files kak.htm
from the Windows folder and .hta from the
Windows system folder.
is an eight character string representing a hexadecimal number -- i.e. it
consists of some combination of the characters 0-9 and A-F. There could be
more than one of these files -- they should be 4116 bytes in size --
delete them all. If there is more than one, then you should find out about
Outlook Express user idetities and tidy up the siganture settings of all
identities (that is more aesthetic than necessary, as deleting the kak.htm
file effectively disables the signatures anyway).
Sixth, edit AUTOEXEC.BAT
and delete the two lines involved in creating and
deleting kak.hta in the Windows Startup folder. If AE.KAK exists in the
root of C: and no changes have been made to AUTOEXEC.BAT since Kak infested
the machine, you can delete (or rename) AUTOEXEC.BAT then rename AE.KAK to
AUTOEXEC.BAT (it is a Kak install-time backup of AUTOEXEFC.BAT). Check the
Windows Startup folder and delete any file there named kak.hta.
Restart the machine and watch
closely for a process called Drive Memory
Error that **only** appears (and briefly) as a button on the taskbar. If
that happens, you missed something or did it out of order. Start over. If
you get here a second time and still have this process starting, please
Email me for further assistance.
Assuming that all has gone well, go to:
read it and download the
offical MS patch that closes the security exploit
that Kak depends on. After doing that, you can reset your Email security to
the Internet zone, although I certainly do not recommend that!
After all this, you will
almost surely have one or more messages carrying
the Kak code in your Email folders.
Unless MS re-introduces the security hole Kak depends on in a future IE
update, those message won't cause you any grief, though forwarding them to
others would be unwelcome. Note also, that any copies to self you've kept
will also have active Kak code in them. Short of getting a virus scanner
that can parse OE mail files, the only vaguely satisfactory workaround to
the "problem" of possibly forwarding an "infected" message is to configure
all your user identities to send text-only Email rather than that HTML
rubbish that is the OE default. Thus, setting text-only Email sending is a
*very good idea*.
Finally, you either need
to update your Anti-Virus protection (if you have
any), (it should have spotted this virus for you) or uninstall it and
download e.g. InnoculatIT at http://antivirus.cai.com/
This program is free and
can be updated fortnightly