The following is an archived copy of a message sent to a Discussion List run by the Campaign Against Sanctions on Iraq.

Views expressed in this archived message are those of the author, not of the Campaign Against Sanctions on Iraq.

[Main archive index/search] [List information] [Campaign Against Sanctions on Iraq Homepage]


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Dreaded WScript/Kak.worm!




  Dear All,

Just recently I've been having a mass of e-mail's telling me that I'm
infected by the dreaded WScript/Kak.worm! I thought I got rid of this beast
earlier last month.
Having just updated my virus scan programme yet again it had the bad manners
to tell me that I had still got the virus! As a I have sent you e-mail files
recently you should update your virus scans (it you have a virus scan
programme this is free) as the virus was still on my computer and only
showed up with the latest up dated DAT files.
Apparently it is easy to send viruses inadvertently with e-mail due to a
loophole in Microsoft Windows if you haven't updated your windows recently
you should do so now and get the latest patch (Security update, September
7th, 1999 Microsoft security bulletin MS99-032).

By for now, Dave.

PS Sorry !

PPS The following is the most useful set of 'how to' instructions I've seen
re: removing kak from your system.

========
You have the virus (some call it a worm) known as JS/Kak (aka Wscript.Kak,
Kakworm, VBS/Kak, etc).
Here are detailed and complete clean-up instructions. Unlike most earlier
instructions, including those posted by many antivirus vendors (who are
fixing theirs at my suggestion), these instructions not only remove Kak but
explain how to make your machine *immune* to re-infection from Kak, or
infection from any future viruses or worms that depend on the same security
hole to get into a machine.

Note: Kak spreads via Email. Since you were infected, you'll have been
sending infected messages. You should check your Sent Items folder **after**
applying **all** the fixes below and Email warnings (and an apology!) to
everyone you've mailed since being infected.

Note^2: Too many descriptions of how to deal with Kak ignore the fact that
infected users have mail folders full of infected messages which will hit
them again next time they are read
**if the security hole Kak depends on is not closed**. Thus, when cleaning
up Kak you **MUST** follow my advice about Outlook Express security settings
**AND** installing the MS security patch referred to at the end of this
message.

In the prescribed order -- don't ask why, just do it:

First, stop using that machine for Email and News. In fact, close down all
applications. In the instructions that follow, start any mentioned
application **only** perform the stated
configuration changes then exit the application.

Second, check the Restricted Sites security has *all* ActiveX support set to
*disabled* (that prevents people choosing the wrong option when given the
choice if "prompt" is set) and if
it is not, set it that way. You do this on the Security tab of
Tools/Internet Options in IE or the Security tab of the Internet Options
control panel (they are both routes to the same controls). If you do not
know how to check this, just select the Restricted Sites zone and click the
"Default Level" button to reset the defaults for that zone --they are near
enough.

Third, set Outlook Express so Email is considered to be in the Restricted
Sites zone. This is on the Security tab of the Tools/Options dialog.

Fourth, delete the Signature definition in Outlook Express for each
afflicted user identity (if you do not know what that means, you *probably*
only have a single identity so only need to do it once). These settings are
on the Signatures tab of the Tools/Options dialog. In theory, it is now safe
to use Outlook Express 5 for reading and sending Email -- but don't...

Fifth, delete the files kak.htm from the Windows folder and <name>.hta from
the Windows system folder. <name> is an eight character string representing
a hexadecimal number -- i.e. it consists of some combination of characters
0-9 and A-F. There could be more than one of these files -- they should be
4116 bytes in size --delete them all. If there is more than one, then you
should find out about Outlook Express user identities and tidy up the
siganture settings of all identities (that is more aesthetic than necessary,
as deleting the kak.htm file effectively disables the signatures
anyway).These files have the hidden file attribute set -- to see them you
will have to change the default settings in Explorer. If you are unsure how
to do this, select Help from the Start menu, click on the Index tab then,
under Win95, enter
"hidden files, viewing" or under Win98 enter "hidden attribute" and view the
topic that is
 found.

Sixth, edit AUTOEXEC.BAT and delete the two lines involved in creating and
deleting kak.hta in the Windows Startup folder. If AE.KAK exists in the root
of C: and no changes have been made to AUTOEXEC.BAT since Kak infested the
machine, you can delete (or rename) AUTOEXEC.BAT then rename AE.KAK to
AUTOEXEC.BAT (it is a Kak install-time backup of AUTOEXEC.BAT). Check the
Windows Startup folder and delete any file there named kak.hta.

Restart the machine and watch closely for a process called Drive Memory
Error that **only** appears (and briefly) as a button on the taskbar. If
that happens, you missed something or did it out of order. Start over.If you
get here a second time and still have this process starting, please Email me
for further assistance.


Assuming that all has gone well, go to:

http://www.microsoft.com/technet/security/bulletin/ms99-032.asp

read it and download the offical MS patch that closes the security hole that
Kak depends on. After doing that, you can reset your Email security to the
Internet zone, although I certainly do not recommend that!

After all this, you will almost surely have one or more messages carrying
the Kak code in your Email folders.Unless MS re-introduces the security hole
Kak depends on in a future IE
update, those message won't cause you any grief though forwarding them to
others would be unwelcome. Note also, that any copies to self you've kept
will also have active Kak code in them. Short of getting a virus scanner
that can parse OE mail files, the only vaguely satisfactory workaround to
the "problem" of possibly forwarding one of these "infected", saved
messages is to configure all your user identities to send text-only Email
rather than that HTML rubbish that is the OE default. Thus, setting
text-only Email sending is a *very good idea*. Note that to set this
configuration fully, you must not only set Tools/Options/Send to
"Plain text" for the "Mail sending format", but also disable the "Reply to
messages in the format in which they were sent" option (which is also on the
Tools/Options/Send dialog).





-- 
-----------------------------------------------------------------------
This is a discussion list run by the Campaign Against Sanctions on Iraq
For removal from list, email soc-casi-discuss-request@lists.cam.ac.uk
Full details of CASI's various lists can be found on the CASI website:
http://welcome.to/casi


[Campaign Against Sanctions on Iraq Homepage]