Presentation and disinfection of the KAK Virus
What are the configurations attacked by the virus? How does the virus propagate?
This virus attacks computers running Microsoft Windows 95/98 with Microsoft Internet Explorer 5.0. It writes several files on the hard drive and installs itself
as default signature in Microsoft Outlook Express so that it can go to another computer very easily. To get the virus, all you have to do is open an infected message
(unless you have changed some security settings).
Even if you don't use Microsoft Oulook Express, your computer can give the virus to someone else because it is included and hidden in the messages with the HTML format :
just forwarding an infected message (using you email client) to someone else.
Your computer is likely to be infected if your computer matches one of the following statement:
- on the hard drive there is the following file: C:\AE.KAK (this file is not harmful)
- on the hard drive there is a file which name mathes C:\WINDOWS\SYSTEM\*.HTA where * is a string like 74F03760 (but actually different because it is unique to each machine)
- on the hard drive there is a file named C:\WINDOWS\KAK.HTM
- in the Start Menu, there is a file name KAK.HTA (actually in Start/Programs/StartUp)
- at startup of Microsoft Windows, you can see a strange Window with "Driver Memory Error" as title
- on the hard drive there are files named *.KAK ou KAK.*, and you don't know anything on those files
- on the first of each month, your pc reboot at 5pm with a strange message....
First of all, the virus is not very harmful, it only annoying effect is to reboot Microsoft Windows the first of each month at 5pm.... The following windows is then displayed:
The first thing to do is to close your email client and not to read nor send any email until your computer is DISINFECTED and PROTECTED (those are two different things...). You should also contact all the people (not using email!!) you may have contacted and infected since you think your computer got the virus. Give them the address of this page (http://defoort.free.fr/virus/kak.html)
Before disinfecting your computer, you should be sure your computer is protected (see the prevention section). If it is not protected, you will have to disinfect again if you read an infected mail again (especially if you preview the email using the preview window in the bottom of the Microsoft Outlook Express main window).
BE CAREFUL: DO NOT FOLLOW THOSE INSTRUCTION IF YOU ARE NOT FAMILIAR WITH FILE MANIPULATION, REGISTRY (IF YOU DON'T KNOW WHAT IT IS, THIS MEANS YOU ARE NOT FAMILIAR WITH IT), EDITION OF THE AUTOEXE.BAT.... A BAD MANIPULATION CAN MAKE YOUR PC NOT BOOTABLE ANYMORE!!!!
USING THOSE INSTRUCTIONS, YOU ALSO AKNOWLEDGE THAT THIS IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND.
PLEASE ALSO NOTE THAT YOU HAVE TO PERFORM EACH AND EVERY STEP IF YOU WANT THE VIRUS TO BE DELETED
1. Modification of the Autoexec.bat file
The virus has propably added the following lines to the c:\autoexec.bat file:
@echo off > C:\Windows\STARTM~1\Programs\StartUp\kak.hta
del C:\Windows\STARTM~1\Programs\StartUp\kak.htaor the French equivalent if you run Microsoft Windows 95/98 in French (C:\Windows\MENUDÉ~1)
To correct this file, you can either edit it directly and remove those two lines, either renamme c:\AE.KAK to C:\AUTOEXEC.BAT (AE.KAK is a backup that the virus made when it has installed itself on your computer, so it does not contain modification that were made to the Autoexec.Bat since)
2. Destruction of the following files:
You can (and have to) delete the following files:
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\KAK.HTA or C:\WINDOWS\MENU DEMARRER\PROGRAMMES\DEMARRAGE\KAK.HTA for the French version of Microsoft Windows
C:\WINDOWS\SYSTEM\xxxxxxxx.HTA where xxxxxxxx is uniq to each PC and looks like 74F03760
C:\WINDOWS\KAK.HTM
C:\WINDOWS\KAK.REG (rarely present on computers)Don't forget to Empty the Recycle Bin to avoid a future restitution...
3. Modification of the registry
Remove the following entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Run\cAg0u
4. Modification of the signature in Microsoft Outlook Express 5.0
In Microsoft Outlook Express (if this software is installed), go to the menu Tools/Option/Signatures tab: remove the default signature which has been installed by the virus (the associated file should be KAK.HTM). The signature should be named "Signature #1".
5. Reboot your computer, it should be disinfected.
READING AN INFECTED EMAIL WILL REINFECTED YOU COMPUTER IF IT IS NOT PROTECTED. FOLLOW THE PREVENTION SECTION IF YOU WANT TO PROTECT YOUR COMPUTER
The first thing to do is to close your email client and not to read nor send any email until your computer is DISINFECTED and PROTECTED (those are two different things...). You should also contact all the people (not using email!!) you may have contacted and infected since you think your computer got the virus. Give them the address of this page (http://defoort.free.fr/virus/kak.html)
Before disinfecting your computer, you should be sure your computer is protected (see the prevention section). If it is not protected, you will have to disinfect again if you read an infected mail again (especially if you preview the email using the preview window in the bottom of the Microsoft Outlook Express main window).
I wrote a very simple program to perform an automatic disinfection (except for the Microsoft Outlook Express disinfection) which you can freely use.
This software (the "SOFTWARE") is provided "AS IS" without warranty of any kind, either express or implied, including, without limitation the implied warranties or conditions of merchantable quality, noninfringement, and fitness for a particular purpose. The entire risk as to the quality and performance of the software is borne by you. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, neither the OWNER or any DISTRIBUTOR of the SOFTWARE shall be liable to you for any loss or damage related to the installation or use of the SOFTWARE including, without limitation, any inaccuracy of data, loss of profits or indirect, special, incidental or consequential damages, even if the parties have been advised of the possibility of such damages. IN NO CASE SHALL the OWNER or any DISTRIBUTOR of the SOFTWARE'S LIABILITY EXCEED THE PURCHASE PRICE FOR THE SOFTWARE.
By downloading this software, you implicitely accept the preceding terms.
This been said, the software does not do anything without your prior consent.
Download version 1.1 here: kakiller.exe 116kb (Zip version 55kb)
READING AN INFECTED EMAIL WILL REINFECTED YOUR COMPUTER IF IT IS NOT PROTECTED. FOLLOW THE PREVENTION SECTION IF YOU WANT TO PROTECT YOUR COMPUTER.
Prevention against this kind of virus
1. Modify the settings of Microsoft Outlook and Microsoft Outlook Express
Those software allow you to set the security level you want. By default, the level is set to THE LESS SECURE LEVEL which is very bad. To modify these settings, vous have to reach the Options of Microsoft Outlook or Microsoft Outlook Express:
You open the menu Tools/Options, tab Security: chose Zone="Restricted sites zone"
This option will avoid Microsoft Outlook to read and execute automatically virii like KAK.
Each time an untrusted ActiveX component will be included in an email, a message will be displayed on the screen.
2. Message in plain text
When it is possible, send your message using "plain text" format to avoid transmitting virus. (you can chose the option for each mail in the Format menu or modify your settings to use this format as a default in the Options of Microsoft Outlook)
3. Microsoft Patch
Microsoft has released a patch for Microsoft Windows 95/98:
Information: http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
Patch (~100kb): http://www.microsoft.com/msdownload/iebuild/scriptlet/en/125795_INTL.htm
4. THIS WILL NEVER BE ENOUGH REPEATED: NEVER RUN EXECUTABLES ATTACHED TO AN EMAIL!!!!!!!!!!!!!
IT IS CERTAINLY NOT WORTH THE RISK JUST TO SEE A FANCY IMAGE OR ANIMATION...
Remark: Kak virus is not a virus of this kind but many virii work that way.
[ eAuction Watcher Homepage | Mole Calc Homepage ]
Microsoft, Windows, Windows NT, and other names of Microsoft products referenced herein are trademarks or registered trademarks of Microsoft. Other product and company names mentioned herein may be the trademarks of their respective owners.
Copyright 2000-2002
David Defoort (do not hesitate to contact me for any correction, suggestion or anything else!)
Last revision: 12/10/2002