Images of Norway

Anti-Virus at storsand.net

Home

Norway

Anti-Virus
Security

Humour

Site Map
Search
Contact

KAK removal instructions!

By Nick Fitzgerald

Here are detailed and complete clean-up instructions.
Unlike most earlier instructions, including those posted by many antivirus vendors (who are fixing theirs at my suggestion), these instructions not only remove Kak but explain how to make your machine immune to re-infection from Kak, or infection from any future viruses or worms that depend on the same security hole to get into a machine.

Note 1: Kak spreads via Email. Since you were infected, you'll have been sending infected messages. You should check your Sent Items folder after applying all the fixes below and Email warnings (and an apology!) to everyone you've mailed since being infected.
Note 2: Too many descriptions of how to deal with Kak ignore the fact that infected users have mail folders full of infected messages, which will hit them again next time they are read if the security hole Kak depends on is not closed. Thus, when cleaning up Kak you MUST follow my advice about Outlook Express security settings AND installing the MS security patch referred to at the end of this message.

In the prescribed order -- don't ask why, just do it:

  1. Stop using that machine for Email and News.
    In fact, close down all applications.
    In the instructions that follow, start any mentioned application only perform the stated configuration changes then exit the application.

  2. Check the Restricted Sites security has all ActiveX support set to *disabled* (that prevents people choosing the wrong option when given the choice if "prompt" is set) and if it is not, set it that way.
    You do this on the Security tab of Tools/Internet Options in IE or the Security tab of the Internet Options control panel (they are both routes to the same controls).
    If you do not know how to check this, just select the Restricted Sites zone and click the "Default Level" button to reset the defaults for that zone -- they are near enough.

  3. Set Outlook Express so Email is considered to be in the Restricted Sites zone.
    This is on the Security tab of the Tools|Options dialog.

  4. Delete the Signature definition in Outlook Express for each afflicted user identity (if you do not know what that means, you probably only have a single identity so only need to do it once).
    These settings are on the Signatures tab of the Tools|Options dialog.
    In theory, it is now safe to use Outlook Express 5 for reading and sending Email -- but don't...

  5. Delete the files kak.htm from the Windows folder and [name].hta from the Windows system folder.
    [name] is an eight character string representing a hexadecimal number -- i.e. it consists of some combination of characters 0-9 and A-F. There could be more than one of these files -- they should be 4116 bytes in size -- delete them all.
    If there is more than one, then you should find out about Outlook Express user identities and tidy up the siganture settings of all identities (that is more aesthetic than necessary, as deleting the kak.htm file effectively disables the signatures anyway).
    These files have the hidden file attribute set -- to see them you will have to change the default settings in Explorer.
    If you are unsure how to do this, select Help from the Start menu, click on the Index tab then, under Win95, enter "hidden files, viewing" or under Win98 enter "hidden attribute" and view the topic that is found.

  6. Edit AUTOEXEC.BAT and delete the two lines involved in creating and deleting kak.hta in the Windows Startup folder.
    If AE.KAK exists in the root of C: and no changes have been made to AUTOEXEC.BAT since Kak infested the machine, you can delete (or rename) AUTOEXEC.BAT then rename AE.KAK to AUTOEXEC.BAT (it is a Kak install-time backup of AUTOEXEC.BAT).
    Check the Windows Startup folder and delete any file there named kak.hta.

  7. Restart the machine and watch closely for a process called Drive Memory Error that only appears (and briefly) as a button on the taskbar.
    If that happens, you missed something or did it out of order.
    Start over. If you get here a second time and still have this process starting, please Email me for further assistance.
Assuming that all has gone well, go to:
http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
read it and download the offical MS patch that closes the security hole that Kak depends on.
After doing that, you can reset your Email security to the Internet zone, although I certainly do not recommend that!
After all this, you will almost surely have one or more messages carrying the Kak code in your Email folders.
Unless MS re-introduces the security hole Kak depends on in a future IE update, those message won't cause you any grief, though forwarding them to others would be unwelcome.
Note also, that any copies to self you've kept will also have active Kak code in them.
Short of getting a virus scanner that can parse OE mail files, the only vaguely satisfactory workaround to the "problem" of possibly forwarding one of these "infected", saved messages is to configure all your user identities to send text-only Email rather than that HTML rubbish that is the OE default.
Thus, setting text-only Email sending is a very good idea.
Note that to set this configuration fully, you must not only set Tools|Options|Send to "Plain text" for the "Mail sending format", but also disable the "Reply to messages in the format in which they were sent" option (which is also on the Tools|Options|Send dialog).

Section break



Home | Norway | Anti-Virus | Security | Humour | Site map | Search | Contact | Privacy