The following is an archived copy of a message sent to a Discussion List run by the Campaign Against Sanctions on Iraq.
Views expressed in this archived message are those of the author, not of the Campaign Against Sanctions on Iraq.
[Main archive index/search] [List information] [Campaign Against Sanctions on Iraq Homepage]
Dear All, Just recently I've been having a mass of e-mail's telling me that I'm infected by the dreaded WScript/Kak.worm! I thought I got rid of this beast earlier last month. Having just updated my virus scan programme yet again it had the bad manners to tell me that I had still got the virus! As a I have sent you e-mail files recently you should update your virus scans (it you have a virus scan programme this is free) as the virus was still on my computer and only showed up with the latest up dated DAT files. Apparently it is easy to send viruses inadvertently with e-mail due to a loophole in Microsoft Windows if you haven't updated your windows recently you should do so now and get the latest patch (Security update, September 7th, 1999 Microsoft security bulletin MS99-032). By for now, Dave. PS Sorry ! PPS The following is the most useful set of 'how to' instructions I've seen re: removing kak from your system. ======== You have the virus (some call it a worm) known as JS/Kak (aka Wscript.Kak, Kakworm, VBS/Kak, etc). Here are detailed and complete clean-up instructions. Unlike most earlier instructions, including those posted by many antivirus vendors (who are fixing theirs at my suggestion), these instructions not only remove Kak but explain how to make your machine *immune* to re-infection from Kak, or infection from any future viruses or worms that depend on the same security hole to get into a machine. Note: Kak spreads via Email. Since you were infected, you'll have been sending infected messages. You should check your Sent Items folder **after** applying **all** the fixes below and Email warnings (and an apology!) to everyone you've mailed since being infected. Note^2: Too many descriptions of how to deal with Kak ignore the fact that infected users have mail folders full of infected messages which will hit them again next time they are read **if the security hole Kak depends on is not closed**. Thus, when cleaning up Kak you **MUST** follow my advice about Outlook Express security settings **AND** installing the MS security patch referred to at the end of this message. In the prescribed order -- don't ask why, just do it: First, stop using that machine for Email and News. In fact, close down all applications. In the instructions that follow, start any mentioned application **only** perform the stated configuration changes then exit the application. Second, check the Restricted Sites security has *all* ActiveX support set to *disabled* (that prevents people choosing the wrong option when given the choice if "prompt" is set) and if it is not, set it that way. You do this on the Security tab of Tools/Internet Options in IE or the Security tab of the Internet Options control panel (they are both routes to the same controls). If you do not know how to check this, just select the Restricted Sites zone and click the "Default Level" button to reset the defaults for that zone --they are near enough. Third, set Outlook Express so Email is considered to be in the Restricted Sites zone. This is on the Security tab of the Tools/Options dialog. Fourth, delete the Signature definition in Outlook Express for each afflicted user identity (if you do not know what that means, you *probably* only have a single identity so only need to do it once). These settings are on the Signatures tab of the Tools/Options dialog. In theory, it is now safe to use Outlook Express 5 for reading and sending Email -- but don't... Fifth, delete the files kak.htm from the Windows folder and <name>.hta from the Windows system folder. <name> is an eight character string representing a hexadecimal number -- i.e. it consists of some combination of characters 0-9 and A-F. There could be more than one of these files -- they should be 4116 bytes in size --delete them all. If there is more than one, then you should find out about Outlook Express user identities and tidy up the siganture settings of all identities (that is more aesthetic than necessary, as deleting the kak.htm file effectively disables the signatures anyway).These files have the hidden file attribute set -- to see them you will have to change the default settings in Explorer. If you are unsure how to do this, select Help from the Start menu, click on the Index tab then, under Win95, enter "hidden files, viewing" or under Win98 enter "hidden attribute" and view the topic that is found. Sixth, edit AUTOEXEC.BAT and delete the two lines involved in creating and deleting kak.hta in the Windows Startup folder. If AE.KAK exists in the root of C: and no changes have been made to AUTOEXEC.BAT since Kak infested the machine, you can delete (or rename) AUTOEXEC.BAT then rename AE.KAK to AUTOEXEC.BAT (it is a Kak install-time backup of AUTOEXEC.BAT). Check the Windows Startup folder and delete any file there named kak.hta. Restart the machine and watch closely for a process called Drive Memory Error that **only** appears (and briefly) as a button on the taskbar. If that happens, you missed something or did it out of order. Start over.If you get here a second time and still have this process starting, please Email me for further assistance. Assuming that all has gone well, go to: http://www.microsoft.com/technet/security/bulletin/ms99-032.asp read it and download the offical MS patch that closes the security hole that Kak depends on. After doing that, you can reset your Email security to the Internet zone, although I certainly do not recommend that! After all this, you will almost surely have one or more messages carrying the Kak code in your Email folders.Unless MS re-introduces the security hole Kak depends on in a future IE update, those message won't cause you any grief though forwarding them to others would be unwelcome. Note also, that any copies to self you've kept will also have active Kak code in them. Short of getting a virus scanner that can parse OE mail files, the only vaguely satisfactory workaround to the "problem" of possibly forwarding one of these "infected", saved messages is to configure all your user identities to send text-only Email rather than that HTML rubbish that is the OE default. Thus, setting text-only Email sending is a *very good idea*. Note that to set this configuration fully, you must not only set Tools/Options/Send to "Plain text" for the "Mail sending format", but also disable the "Reply to messages in the format in which they were sent" option (which is also on the Tools/Options/Send dialog). -- ----------------------------------------------------------------------- This is a discussion list run by the Campaign Against Sanctions on Iraq For removal from list, email soc-casi-discuss-request@lists.cam.ac.uk Full details of CASI's various lists can be found on the CASI website: http://welcome.to/casi