WScript

Script/Kak.worm.bat
Below is a copy of an email I have sent to several people from whom we have received emails containing the WScript/Kak.worm.bat virus. The email explains one method to remove the virus from your computer. Once you have removed the virus from your computer it is essential to delete the incoming email/s from which you caught it, because they will re-infect your computer. Also it would be beneficial to everyone else to inform the original sender of your findings.

To check an email in any of your folders in Outlook Express carry out the following procedure: Before opening your emails - Right click on your any email title listed in your Inbox, Sent, Deleted, etc. folders. Then select properties. Then select the tab which says Details. Press the button that says Message Source. Then open up to full window:

You will see lots of coding that contains the words like 'kak.hta', 'AE.kak', 'Kagou-Anti-Kro$oft says not today', amongst it:

This is the WScript/Kak.worm.bat virus which is attached to your emails. If it is present refer to the copy email below for one method of removing it from your system.

COPY OF THE EMAIL WE SEND TO PEOPLE WITH THE VIRUS
(You are welcome to copy this (or part of it) if you wish to send it to anyone who has accidentally forwarded the virus to you.

I am sorry to have to inform you that we received an E-mail from you which contained the KAK.worm Virus. You may not be aware that your computer has this Virus, but it was detected by our McAfee VirusScan and showed up in the coding information of your E-mail.
We received your E-mail at : on / /

PLEASE DO NOT SEND US ANY MORE E-MAILS UNTIL YOU HAVE REMOVED THE VIRUS FROM YOUR SYSTEM.

THIS VIRUS IS VERY VIGOROUS IN THE PETZ COMMUNITY AT PRESENT - YOU WILL PASS THIS ON TO ANYONE YOU SEND E-MAILS TO. WE HAVE LISTED ONE METHOD TO ASSIST YOU IN DELETING THIS FROM YOUR COMPUTER.

A quick method to check if your computer is infected is to look in Tools/Options/Signatures in Microsoft Mail Programs. It may well show a name in the signature which includes the word 'kak'. However - this is not always present, so don't be fooled. Continue with the other checks.

the virus is called WScript/Kak.worm.bat it is not a serious virus and is easily removed from a p.c. it is put onto your computer just by receiving an infected e-mail - no attachment is required and you do not even have to open the e-mail. it will put up various messages and close down your computer on the 1st of the month at 6.00pm. Switching on your computer or rebooting after 6:00 pm will prevent your computer from running for the rest of that day.

If you are running McAfee virus scanner when booting up, your p.c. it should give you a warning message or you should run McAfee to detect it automatically.

for more information about it you can go to www.avertlabs.com click on the section about hoax viruses, then on the alphabet click K and select Kak.

UPDATE 27/9/2001: A TOOL FOR REMOVING THE KAK VIRUS - AND MANY OTHERS - IS CURRENTLY AVAILABLE FOR FREE DOWNLOAD FROM:
http://www.symantec.com/avcenter/tools.list.html

You can also download from the Microsoft Security Bulletin site, a FREE security patch to block the virus in future. The security patch number file is - q240308.exe
Click on this address as a short cut:
ftp://ftp.microsoft.com/peropsys/IE/IE-Public/Fixes/usa/Eyedog-fix/x86/q240308.exe

You can also remove it manually by using the following instructions

> KAK.worm
> Delete entries in c:\windows:
> c:\windows\kak.htm (delete kak.htm)
> c:\windows\system\xxxxxxxx.hta (delete xxxxx.hta) (Where xxxxxx will be a random number)
> c:\windows\Start Menu\Programs\Start Up\kak.hta (delete kak.hta)
>
> In the autoexec.bat delete:
> Any lines referring to KAK.HTA or WScript/kak

In registry:
> ( To get access to the Registry, click on Start and then Run and type
> "regedit" and click "OK" )
> Hkey local machine\software\microsoft\windows\CurrentVersion\Run cAgOu = "c:\windows\system\xxxxx.hta"
>
> (Delete "cAgOu = "c:\windows\system\xxxxx.hta")

REMOVE any signatures that have been added in your signatures files - These are what will spread the Virus in your outgoing mail!!

you can also get a security patch to block the virus from the Microsoft Security Bulletin site.

many thanks