Back to Merlins Cave www.VillageNet.co.uk Advertising Charges

VillageNet - (Merlins Cave)

(Removing the kak e-mail worm (virus).)

If you have any Computer Related problems e-mail the wizard for help


Just recently we at VillageNet have been infected with the kak e-mail worm, this is more of a pain than a serious problem, however if you do not stop this infecting your P.C., then the next worm of a similar design could seriously damage your P.C. software. 

We suggest you print this page for future reference.

Diagnosis : -
Carry out the following procedure to see if you have the virus

  1. In Outlook Express 5 click on [Tools] - [Options] then the [Signature Tab]
  2. If the signature File at the bottom points to a kak.htm then you have this worm.
  3. Check to see if a file c:\ae.kak file is there, this is another file that shows you have the worm.
  4. If you do not have the worm, still check out our prevention section

Cure:

  1. Shut down Microsoft Outlook Express if it is open .
  2. Then you need to set your explorer to show hidden files so - double click on the "My Computer" icon on your desktop.
  3. Now click on [View] - [Folder Options] then the [View Tab].
  4. Now click where it says [Show all files] so that the circle next to Show is filled.
  5. Now click OK - This now means you will see the hidden files on the system - they are usually less coloured than non hidden files. 
  6. DO NOT REMOVE any hidden files unless you know what you are doing .
  7. Now in My Computer click onto your c: drive, into your windows directory and delete the file called kak.htm.
  8. Still in my computer click in to [Start Menu\Programs\Startup] and remove the file called kak.hta.
  9. Now comes the bit you have to be very careful with.
  10. Click on [Start] - [Run] and type in "RegEdit" then click [OK]
  11. BE VERY CAREFUL, you are now in the registry editor, and a mistake can stop your P.C. from starting.
  12. Click on the + next to HKEY_LOCAL_MACHINE then
  13. Click on the + next to Software then
  14. Click on the + next to Microsoft then
  15. Click on the + next to Windows then
  16. Click on the + next to CurrentVersion then
  17. Click on [Run] not the + this time, a list of entries will appear in the right column.
  18. an entry for cAgOu will be listed with [ab] to the left 
  19. Click on the word [cAgOu] this will appear in dark blue.
  20. Now press the [Delete] key, it will pop up a window which says "Are you sure you want to delete this value" [ Yes] or [No] 
  21. Click on [Yes].
  22. Now click on [Registry] at the top of the screen then [Exit]
  23. Phew the dodgy bit is over.
  24. Now you need to stop the pesky worm re-infecting on reboot
  25. For the last bit you need to be a little careful firstly copy c:\autoexec.bat to c:\autoexec.kak steps 26 to 36
  26. Double Click on the [My Computer] icon on your main window.
  27. Now click on the [c:] drive icon.
  28. Check to see if there is a file called ae.kak in the directory, if not skip steps 29 - 36
    *******************************************
  29. Left Click once on the Autoexec.bat file, then Right Click on the Autoexec.bat file.
  30. Move the cursor down to [rename], click on rename with the left hand mouse button.
  31. In the box type "autoexec.kak" then press [Return]
  32. Warning - DO NOT REBOOT YOUR MACHINE
  33. Left Click once on the ae.kak file, then Right Click on the ae.kak file.
  34. Move the cursor down to [rename], click on rename with the left hand mouse button.
  35. In the box type "Autoexec.bat" then press [Return]
  36. Check that there is an Autoexec.bat file in your c: drive if there is not you have spelt a file incorrectly, DO NOT REBOOT until you have an Autoexec.bat file, or your windows will not start.
    *******************************************
  37. OK its now safe when you reboot
  38. Finally open up Outlook Express, and click on [Tools] - [Options] then the [Signature Tab] and change the [File] setting to remove the kak.htm entry Apply and shut down Outlook. 
  39. Now REBOOT your P.C. and carry out the Diagnosis check again to see if all is OK. 
  40. If OK go to the prevention section before opening up Outlook Express again.

Prevention:

  1. Firstly open [My Computer] click once on c:\ae.kak then the right mouse button and choose properties, and set to read-only. 
  2. Carry out step 1 for c:\autoexec.bat as well.
  3. Finally go to http://www.microsoft.com and download the latest patch for Outlook Express that stops Active Server Page Scripts running.
  4. Run the Microsoft patch
  5. You can now run Outlook Express, and as you go through your in-box any files with this virus will get a message saying that "an ActiveX  control on this page is unsafe". 
  6. You can safely open the file as the patch will fix the problem.

© VillageNet 1999

wizard@villagenet.co.uk
 Top of Page