Group,
As Troy Britain and others have noted, the KAK e-mail virus infected some of
us (I just found that I have it). Since my anti-virus software missed it,
I've been hunting the little sucker down. I'm including what I found for
those who might also be infected. Note the caveats.
Don Frack
============================================================================
KAK e-mail virus.
Having just been hit by the KAK e-mail virus, I pass on the following
findings. Hopefully, I've located all the pieces. I've tried to identify
below files I located and suggest actions. Note that if you don't get it
all, some parts will respawn the rest when you reboot. The KAK.HTM file is
reasonably helpful in tracing it's actions. IF YOU WANT TO VIEW IT, FIRST
RENAME THE EXTENSION TO ".TXT" SO IT WILL NOT OPEN AS AN HTML FILE. The file
can be safely viewed using Notepad.
The following suggestions are offered AS IS. I don't know if I got
everything, and removing pieces may make it impossible for anti-virus
software to do a complete job later. Norton Anti-virus 2000 will recognize
this virus, presumably before it attacks - Norton 5.0 will not (at least not
without the latest updates). Be sure to delete all suspect messages.
What the virus appears to do, and actions I took:
Adds to C:\Autoexec.bat
"@echo off>C:\Windows\STARTM~1\Programs\StartUp\kak.hta"
"del C:\Windows\STARTM~1\Programs\StartUp\kak.hta"
ACTION: Delete these lines
Creates C:\Ae.kak
Appears to write the original autoexec.bat to this file
ACTION: Delete file
Adds this file to C:\windows
kak.htm [Appears to be the actual virus file. Attributes = "hidden"]
ACTION: Delete file [folder options must allow viewing hidden files]
In Registry creates [\\\\ refers to a lower level in the structure of the
file]:
a) file extension registry entry for ".hta"
b) under \\\\Current Version\Run
Name: "cAg0u" Data: "C:\WINDOWS\SYSTEM\FB8B33C0.hta"
c) under \\\\Mime\Database\Content Type\application/hta
CLSID and Extension Data
Name: "CLSID" Data: "{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}"
Name: "Extension" Data: ".hta"
d) under \\\\Outlook Express\5.0\Signatures\00000000, the data read:
File: "C:\windows\kak.htm"
Name: "Signature #1"
Text: ""
Type: "0x00000002(2)"
[These appear to attach the virus to outgoing mail by faking the
default signature file]
ACTION: Use the REGEDIT Find to locate "hta" references above.
(a) Delete the file extension reference,
(b) Delete the "cAg0u" data under Run,
(c) Delete "application/hta" data under Content Type
Use the REGEDIT Find to locate "kak" signature reference above
(d).
(d) Delete "00000000" entry under Signatures
DON'T MESS WITH THE REGISTRY IF YOU DON'T UNDERSTAND THE
ABOVE!!!!
Writes to C:\windows\system:
FB8B33C0.hta [Appears to be another copy of the virus file. Attributes
= "hidden"]
ACTION: Delete file [folder options must allow viewing hidden files]
Creates C:\Autoexec.syd
Another Autoexec.bat file
ACTION: Delete file
This archive was generated by hypermail 2b29 : Fri May 05 2000 - 19:47:46 EDT