Linda Sternhill Davis

Hi All!
 
I sent the following e-message to everyone about an hour ago.  In that time, I received a digest from the homeschooling eGroup where the computer specialist mom has been trying to help others remove that kak virus.  I'm, therefore, sending to you her latest update which was written in response to another eGroup member who questioned how a computer's registry can be changed.  Entering the registry seems to be the only way to remove this virus fully from any system.  Therefore, please follow Cyn's directions carefully, since entering the registry can be risky for unfamiliar folks.  What follows is (1) my message for removing the virus from your computers that was already sent to you; and (2) Cyn's e-message about accessing the registry.  Hopefully, these two e-messages, in combination, will clean that worm virus out of all computers completely!!
 
~Linda
 
 
----- Original Message -----
Sent: Saturday, April 29, 2000 1:23 AM
Subject: Fix for Virus!

Hi All!
 
Thanks to a very knowledgeable mom who specializes in computers and network systems, I was provided with the following e-message that gives information about the kak virus, and instructions on how to remove it permanently from any computers that might have become infected.  We cleaned our computer, so I'm quite relieved.  If you suspect, after reading the description contained in the following e-message, that your own system might have been infected, please follow the steps indicated in the last paragraph of Eric Chien's article (from Symantec, producer of the Norton AntiVirus program).  Please note that some of the damage done by this virus occurs on the 1st of each month at 5pm.  May 1st is quickly approaching!!  
 
I again apologize for inadvertently "sharing" this KakWorm virus with others.  I don't know how, where, when, or why it came into my system, and even with my Norton AntiVirus program, it was detected in only a small part of my computer (namely, the signature part of my Outlook Express).  To completely eradicate the virus from your computers, read the last portion of Eric Chien's article which is at the end of this posting, and follow the steps he suggests. 
 
Thanks for your prompt attention -- and for your forgiveness!!
 
~Linda
 
 
***********************************************

... I've been geeking for a living for many years, and in that
time I've been responsible for keeping a great many computers
virus-free and stable in all kinds of environments, or cleaning them
after someone else let them get infected. Caveat: I do Windows and
some Unix. I have not done much of anything with Macs for so many
years that I wouldn't presume to give anyone any advice at all about
them.

Whether or not your system could be infected with the virus depends
on several factors. 1) Did you open the message? 2) Do you use an
email program that displays HTML? 3) If you do, does that program
execute code found in HTML without giving you any warnings or chances
to say you don't want to do so?

If you're using Netscape for email, as far as I know you're in
trouble. If you're using any current version of Eudora, you have a
setting somewhere that lets you choose whether you want Eudora to
permit code to run without your approval. If you use Outlook or
Outlook Express, I think you're almost certainly in trouble
(depending on your virus and security settings). If you're using
another email program, I don't know for sure, but I'd be finding out
ASAP.

If you do use Outlook Express or Internet Explorer's newsgroup
reader, you might have already spread the virus to others. You
definitely need to check. I've copied an article from Symantec's web
site below to give you more information about this particular virus.

If you already have a current virus protection program and updated
virus definitions for it, you're probably fine - this virus has been
around since December, and Symantec (maker of the Norton products)
released updates protecting their users from it back then. Most other
manufacturers probably did the same. I have my software set to check
all files for viruses as they're created on my hard drive, so I was
alerted as soon as the mail was downloaded - before I read it. Some
people don't use that level of security - it isn't the default in any
program I've used recently - so if you're using your program's
default settings, you might not have been alerted until you started
to open the message. As long as you didn't open it, you should still
be safe.

- From http://www.sarc.com/avcenter/venc/data/wscript.kakworm.html :

Wscript.KakWorm

VBS.KakWorm spreads using Microsoft Outlook Express. It attaches
itself to all outgoing messages via the Signature feature of Outlook
Express and Internet Explorer newsgroup reader.

The worm utilizes a known Microsoft Outlook Express security hole so
that a viral file is created on the system without having to run any
attachment. Simply reading the received email message will cause the
virus to be placed on the system.

Microsoft has patched this security hole. The patch is available from
Microsoft's website. If you have a patched version of Outlook
Express, this worm will not work automatically.

Also known as: VBS.Kak.Worm, Kagou-Anti-Krosoft

Category: WORM

Infection length: 4116 Bytes

Virus definitions: December 30, 1999

Threat assessment:
Damage: MEDIUM
Distribution: HIGH
Wild: HIGH

Wild

Number of infections: More than 1000
Number of sites: 3-10
Geographical Distribution: High
Threat containment: Medium
Removal: Medium

Damage

Payload: Modifies the registry keys and shuts down Windows Payload
trigger: First of any month at 5pm Degrades performance: Shuts Down
Windows

Distribution

Size of Attachment: 4116 bytes Target of infection: Microsoft Outlook
Express, Internet Explorer Usenet Newsreader

Technical description

The worm appends itself to the end of legitimate outgoing messages as
a signature. When receiving the message, the worm will automatically
insert a copy of itself into the appropriate StartUp directory of the
Windows operating system for both English and French language
versions. The file created is named KAK.HTA.

The worm utilizes a known Microsoft Outlook Express security hole,
Scriptlet.Typelib, so that a viral file is created on the system
without having to run any attachment. Simply reading the received
email message will cause the virus to be placed on the system.

Microsoft has patched this security hole. The patch is available from
Microsoft's website. If you have a patched version of Outlook
Express, this worm will not work automatically.

HTA files are executed by current versions of Microsoft Internet
Explorer or Netscape Navigator. The system must be rebooted for this
file to be executed. Once executed, the worm modifies the registry
key:

HKCU/Identities/<Identity>/Software/
Microsoft/Outlook/Express/5.0/signatures

in order to add its own signature file, which is the infected KAK.HTA
file. This causes all outgoing mail to be appended by the worm. In
addition, the registry key:

HKLM/Software/Microsoft/Windows/ CurrentVersion/Run/cAgOu

is added which causes the worm to be executed each time the computer
is restarted.

Finally, if it is the first of the month and the hour is 17 (5:00pm),
the following message is displayed:

Kagou-Anti-Kro$oft says not today!

and Windows is sent the message to shutdown.

Removal:
Delete the following file: KAK.HTA Delete the following registry key:
HKLM/Software/Microsoft/Windows/ CurrentVersion/Run/cAgOu



Write-up by: Eric Chien Dec 30, 1999
 
****************************************************************
 
Message: 2
Date: Fri, 28 Apr 2000 07:59:13 -0400
From: Cynthia Armistead <cyn@...>
Subject: Re: That virus again

-----BEGIN PGP SIGNED MESSAGE-----

At 11:31 PM 4/27/00, Dena wrote:
 >How do you delete a registry key?

The standard answer is that if you don't know how to get into the
registry you don't have any business being there. BUT - since I
mentioned it . . . PLEASE BE CAREFUL WITH THIS INFO! You can
COMPLETELY hose your software!

1)go to the Windows Start Menu and select Run.
2) Type in
regedit
and hit enter or the OK button.
3) When the Registry Editor opens, go to the File menu and select
Export Registry File. Give your current registry a name that means
something to you and save it somewhere so you can find it again if
something goes wrong later. I'd suggest saving it to a floppy or some
other removable media if possible. Make sure All is selected under
Export Range.
4) Now that you've backed up the current version, you can search for
the entry you want to delete by going to the Edit menu and selecting
Find.
5)Once you find the entry in question, right-click on it and select
Delete. There is no undo for this step - once it's
gone, it's gone.
6)Close the Registry Editor. Changes are saved automatically.

Cyn