• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 278
  • Last Modified:

KAK.HTA ?????

I just reinstalled Windows 98SE on my Dell XPST 550PIII because things seemed a bit unstable at times. Everything is working fine so far. BUT, everytime I start up I get a window that has this title at the top; C:\Windows\Start Menu\Programs\Start up\KAK.HTA. What does this mean and how can I get rid of it?
The last time I restarted an error message came up with it. I have removed KAK from my start up menu several times and everytime I restart it is somehow back again.
I also removed a lot of fonts from my font folder. I had app 1300 in there and now I have maybe 700. This was done before the reinstall of 98SE.
Thanks,
Art
0
ArtG
Asked:
ArtG
  • 12
  • 4
1 Solution
 
1cellCommented:
NAME: Kak
ALIAS: Wscript.KakWorm, KakWorm

Kak is a worm that embeds itself to every email sent from the infected system, without any attachment, like BubbleBoy does. For further information about BubbleBoy, see the description: http://www.F-Secure.com/v-descs/bubb-boy.htm 

Kak is written in JavaScript and it works on both English and French versions of Windows 95/98 if Outlook Express 5.0 is installed. It does not work in a typical Windows NT installation.

The worm uses a known security vulnerability in Outlook Express. Once the user receives an infected email message, and opens or views the message in the preview pane, the worm creates a file "kak.hta" to the Windows Startup directory.

Next time when the system is restarted, the worm activates. It replaces "c:\autoexec.bat" with a batch file that deletes the worm from the Startup directory. The original "autoexec.bat" is copied to "C:\AE.KAK".

It also modifies the message signature settings of Outlook Express 5.0 replacing the current signature with an infected file, "C:\Windows\kak.htm".

Therefore every message sent with Outlook Express after that will contain the worm.

Next it modifies the Windows registry in a such way that it will be executed in every system startup. The key it adds to the registry is:


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cAg0u

The .hta file that the virus creates and will be executed is saved to Windows System directory. In first day of each month if the number of hours is more than 17 (i.e. 6pm or later), the worm will show an alert box with the following text:


    Kagou-Anit-Kro$oft say not today!

 

Then the worm causes the Windows to shut down.

F-Secure Anti-Virus detects the worm. When the worm has been detected, the user should delete the following files, if they exist:


    C:\Windows\kak.htm
    C:\Windows\System\(filename).hta
        where (filename) is a variable, and it changes from one system
        to another


    C:\Windows\Start Menu\Programs\Startup\kak.hta
    C:\Windows\Menu Demarrer\Programmes\Demarrage\kak.hta

The "autoexec.bat" can be restored by copying the "C:\AE.KAK" to "C:\autoexec.bat".

Kak uses a known security hole in Microsoft Outlook Express to create the local HTA file.

If active scripting is disabled from Outlook Express, then the worm will not work.

Microsoft has more information on this problem available at: http://www.microsoft.com/Security/Bulletins/MS99-032faq.asp 

They have also a patch to fix this problem at http://www.microsoft.com/security/Bulletins/ms99-032.asp 

0
 
ArtGAuthor Commented:
Adjusted points from 146 to 196
0
 
ArtGAuthor Commented:
1cell,
Thank you for your quick response. I have done everything you said except copying the "C:\AE.KAK" to "C:\autoexec.bat".
autoexec.bat is a dos file and AE.KAK is a windows file. I don't know how to copy that.
Also I hope the last two columned instructions are the same, just one being French. I can't find any \Menu Demarrer\.
I opened the C\AE.KAK file in Notepad and it appeared to have something to do with my Asus cd rom drivers????
I still need your help.
Art

 
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
1cellCommented:
reboot to DOS and type:

copy ae.kak autoexec.bat
0
 
ArtGAuthor Commented:
1cell,
Sorry about the delay, I had to go to work.
I managed to do all you said. KAK seems to be gone, no window popping up at startup.
There is still one loose end I would like to tie up. When I run msconfig and look at the startup menu there is a, "cAgOu listed in C:\WINDOWS\SYSTEM\9175A040.hta I currently have it unchecked/disabled. I cannot find it in C:\Windows\start menu\programs\startup or in the disabled startup file.

I did some reading and saw this connected with KAK somewhere and the file ending .hta makes me nervous.
What should I do about this? If anything?
Thanks
Art
PS actually it was you I read "Kagou-Anit" etc.
0
 
SpindoctaCommented:
The 9175A040.hta in your system directory is also part of the worm, it is the file referred to in the system registry. search for the filename string in the registry, and delete the key. Next del the 9175A040.HTA file. The most import part of the procedure is to install the microsoft patch. If you do not do this then you will reinfect your self if you view the original e-mail or any emails you have sent since.

With the patch installed you will recieve a message saying the control on the page are unsafe and windows will disable the control.

Finally, you are now in position to email everybody you have inadvertantly infect and send the patch on to them.

Although I don't believe any email with an attachment, will get much attention whilst the love bug is about!
0
 
1cellCommented:
Spindocta, as you are new here, welcome.  However, there is a certain unwritten protocol here which you should be aware of.

First, Experts here do not post answers unless they are absolutely sure that the answer will solve the problem.

Second, we don't post answers which contain information from comments given by others or post an answer when the thread is obviously under control and getting solved by another.

Posting an answer locks the question and further delays the questioner's solution.  

Please change your proposed answer to a comment and try to adhere to this protocol in the future.  Again, welcome!


Now, Art,

as fot MSCONFIG, what it shows you is that there is POSSIBLY still a reference to this file in the registry, system.ini, win.ini.

SO, what to do if anything, is this
1st, check the registry keys

HKCU/SOFTWARE/MICROSOFT/WINDOWS/CURRENT VERSION/RUN

HKCU/SOFTWARE/MICROSOFT/WINDOWS/CURRENT VERSION/RUN-

HKCU/SOFTWARE/MICROSOFT/WINDOWS/CURRENT VERSION/RUNRunonce

HKLM/SOFTWARE/MICROSOFT/WINDOWS/CURRENT VERSION/RUN

HKLM/SOFTWARE/MICROSOFT/WINDOWS/CURRENT VERSION/RUN-

HKLM/SOFTWARE/MICROSOFT/WINDOWS/CURRENT VERSION/RUNRunonce

for any reference to cAgOu or a file with an HTA extension.  if you find it, delete it.

If you don't find it, open the win.ini file and look for the run= or load= lines.  Again, if any reference to cAgOu or an HTA file is found, delete it.

Same with system.ini but I don't suspect it went that far.

Finally, once again, do a find files for cAgOu and delete any occurances along with any .HTA file.

If you don't find any of the above, you are clean and what you see in MSCONFIG is residue which we can get rid of.

Any questions, let me know.

0
 
ArtGAuthor Commented:
Adjusted points from 196 to 250
0
 
ArtGAuthor Commented:
Thanks, I'll get right on it.
0
 
ArtGAuthor Commented:
1cell,
I am about half embarassed to say this but, I don't know how to check the registry keys. I can navigate around in the inner parts of my computer somewhat but, I have never needed to look at my registry.
sorry I am such a pain.
Art
0
 
ArtGAuthor Commented:
Adjusted points from 250 to 350
0
 
ArtGAuthor Commented:
1Cell,
I have more info. In Outlook Express I go to Tools-Options-Signatures- down at the bottom of the window I see a radio button labeled file and in the box near it it says "C:\WINDOWS\kak.htm
This doesn't look good.
Art
0
 
ArtGAuthor Commented:
I believe 1cell covered that;
"First, Experts here do not post answers unless they are absolutely sure that the answer will solve the problem.

Second, we don't post answers which contain information from comments given by others or post an answer when the thread is obviously under control and getting solved by another.

Posting an answer locks the question and further delays the questioner's solution."
0
 
ArtGAuthor Commented:
Adjusted points from 350 to 400
0
 
ArtGAuthor Commented:
1cell,
I just got Norton System Works today and it gave me a clean bill of health thanks to you.
I can't put into words how much I appreciate you and all the other experts here that have helped me. EE is the greatest site on the web.
Thank you so much 1cell!!
Art
Please see to it that these points are awarded to you.
0
 
ArtGAuthor Commented:
Sorry we lost our connection somehow. I posted back five times. You did however solve my problem for me. Norton system works just confirmed that. I am sure you helped me avoid a disaster I couldn't afford. Thank you so much.
Art
0
 
1cellCommented:
Hey! I'm back, had problems with the ILOVEYOU virus at work and haven't been able to find much time for EE.  Anyway, glad I could help.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 12
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now