Fix for Virus!
Linda Sternhill Davis
Hi All!
Thanks to a very knowledgeable mom who specializes
in computers and network systems, I was provided with the following e-message
that gives information about the kak virus, and instructions on how to remove it
permanently from any computers that might have become infected. We
cleaned our computer, so I'm quite relieved. If you suspect,
after reading the description contained in the following e-message, that your
own system might have been infected, please follow the steps indicated in
the last paragraph of Eric Chien's article (from Symantec, producer of the
Norton AntiVirus program). Please note that some of the
damage done by this virus occurs on the 1st of each month at 5pm.
May 1st is quickly approaching!!
I again apologize for inadvertently "sharing" this
KakWorm virus with others. I don't know how, where, when, or why it came
into my system, and even with my Norton AntiVirus program, it was detected
in only a small part of my computer (namely, the signature part of my Outlook
Express). To completely eradicate the virus from your computers, read
the last portion of Eric Chien's article which is at the end of this posting,
and follow the steps he suggests.
Thanks for your prompt attention -- and for your
forgiveness!!
~Linda
***********************************************
... I've been geeking for a living for many years, and in that
time I've been responsible for keeping a great many computers
virus-free and stable in all kinds of environments, or cleaning them
after someone else let them get infected. Caveat: I do Windows and
some Unix. I have not done much of anything with Macs for so many
years that I wouldn't presume to give anyone any advice at all about
them.
Whether or not your system could be infected with the virus depends
on several factors. 1) Did you open the message? 2) Do you use an
email program that displays HTML? 3) If you do, does that program
execute code found in HTML without giving you any warnings or chances
to say you don't want to do so?
If you're using Netscape for email, as far as I know you're in
trouble. If you're using any current version of Eudora, you have a
setting somewhere that lets you choose whether you want Eudora to
permit code to run without your approval. If you use Outlook or
Outlook Express, I think you're almost certainly in trouble
(depending on your virus and security settings). If you're using
another email program, I don't know for sure, but I'd be finding out
ASAP.
If you do use Outlook Express or Internet Explorer's newsgroup
reader, you might have already spread the virus to others. You
definitely need to check. I've copied an article from Symantec's web
site below to give you more information about this particular virus.
If you already have a current virus protection program and updated
virus definitions for it, you're probably fine - this virus has been
around since December, and Symantec (maker of the Norton products)
released updates protecting their users from it back then. Most other
manufacturers probably did the same. I have my software set to check
all files for viruses as they're created on my hard drive, so I was
alerted as soon as the mail was downloaded - before I read it. Some
people don't use that level of security - it isn't the default in any
program I've used recently - so if you're using your program's
default settings, you might not have been alerted until you started
to open the message. As long as you didn't open it, you should still
be safe.
- From http://www.sarc.com/avcenter/venc/data/wscript.kakworm.html :
Wscript.KakWorm
VBS.KakWorm spreads using Microsoft Outlook Express. It attaches
itself to all outgoing messages via the Signature feature of Outlook
Express and Internet Explorer newsgroup reader.
The worm utilizes a known Microsoft Outlook Express security hole so
that a viral file is created on the system without having to run any
attachment. Simply reading the received email message will cause the
virus to be placed on the system.
Microsoft has patched this security hole. The patch is available from
Microsoft's website. If you have a patched version of Outlook
Express, this worm will not work automatically.
Also known as: VBS.Kak.Worm, Kagou-Anti-Krosoft
Category: WORM
Infection length: 4116 Bytes
Virus definitions: December 30, 1999
Threat assessment:
Damage: MEDIUM
Distribution: HIGH
Wild: HIGH
Wild
Number of infections: More than 1000
Number of sites: 3-10
Geographical Distribution: High
Threat containment: Medium
Removal: Medium
Damage
Payload: Modifies the registry keys and shuts down Windows Payload
trigger: First of any month at 5pm Degrades performance: Shuts Down
Windows
Distribution
Size of Attachment: 4116 bytes Target of infection: Microsoft Outlook
Express, Internet Explorer Usenet Newsreader
Technical description
The worm appends itself to the end of legitimate outgoing messages as
a signature. When receiving the message, the worm will automatically
insert a copy of itself into the appropriate StartUp directory of the
Windows operating system for both English and French language
versions. The file created is named KAK.HTA.
The worm utilizes a known Microsoft Outlook Express security hole,
Scriptlet.Typelib, so that a viral file is created on the system
without having to run any attachment. Simply reading the received
email message will cause the virus to be placed on the system.
Microsoft has patched this security hole. The patch is available from
Microsoft's website. If you have a patched version of Outlook
Express, this worm will not work automatically.
HTA files are executed by current versions of Microsoft Internet
Explorer or Netscape Navigator. The system must be rebooted for this
file to be executed. Once executed, the worm modifies the registry
key:
HKCU/Identities/<Identity>/Software/
Microsoft/Outlook/Express/5.0/signatures
in order to add its own signature file, which is the infected KAK.HTA
file. This causes all outgoing mail to be appended by the worm. In
addition, the registry key:
HKLM/Software/Microsoft/Windows/ CurrentVersion/Run/cAgOu
is added which causes the worm to be executed each time the computer
is restarted.
Finally, if it is the first of the month and the hour is 17 (5:00pm),
the following message is displayed:
Kagou-Anti-Kro$oft says not today!
and Windows is sent the message to shutdown.
Removal:
Delete the following file: KAK.HTA Delete the following registry key:
HKLM/Software/Microsoft/Windows/ CurrentVersion/Run/cAgOu
Write-up by: Eric Chien Dec 30, 1999