Solved

KAK.HTA ?????

Posted on 2000-05-04
17
267 Views
Last Modified: 2013-12-28
I just reinstalled Windows 98SE on my Dell XPST 550PIII because things seemed a bit unstable at times. Everything is working fine so far. BUT, everytime I start up I get a window that has this title at the top; C:\Windows\Start Menu\Programs\Start up\KAK.HTA. What does this mean and how can I get rid of it?
The last time I restarted an error message came up with it. I have removed KAK from my start up menu several times and everytime I restart it is somehow back again.
I also removed a lot of fonts from my font folder. I had app 1300 in there and now I have maybe 700. This was done before the reinstall of 98SE.
Thanks,
Art
0
Comment
Question by:ArtG
  • 12
  • 4
17 Comments
 
LVL 6

Expert Comment

by:1cell
ID: 2777854
NAME: Kak
ALIAS: Wscript.KakWorm, KakWorm

Kak is a worm that embeds itself to every email sent from the infected system, without any attachment, like BubbleBoy does. For further information about BubbleBoy, see the description: http://www.F-Secure.com/v-descs/bubb-boy.htm

Kak is written in JavaScript and it works on both English and French versions of Windows 95/98 if Outlook Express 5.0 is installed. It does not work in a typical Windows NT installation.

The worm uses a known security vulnerability in Outlook Express. Once the user receives an infected email message, and opens or views the message in the preview pane, the worm creates a file "kak.hta" to the Windows Startup directory.

Next time when the system is restarted, the worm activates. It replaces "c:\autoexec.bat" with a batch file that deletes the worm from the Startup directory. The original "autoexec.bat" is copied to "C:\AE.KAK".

It also modifies the message signature settings of Outlook Express 5.0 replacing the current signature with an infected file, "C:\Windows\kak.htm".

Therefore every message sent with Outlook Express after that will contain the worm.

Next it modifies the Windows registry in a such way that it will be executed in every system startup. The key it adds to the registry is:


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cAg0u

The .hta file that the virus creates and will be executed is saved to Windows System directory. In first day of each month if the number of hours is more than 17 (i.e. 6pm or later), the worm will show an alert box with the following text:


    Kagou-Anit-Kro$oft say not today!

 

Then the worm causes the Windows to shut down.

F-Secure Anti-Virus detects the worm. When the worm has been detected, the user should delete the following files, if they exist:


    C:\Windows\kak.htm
    C:\Windows\System\(filename).hta
        where (filename) is a variable, and it changes from one system
        to another


    C:\Windows\Start Menu\Programs\Startup\kak.hta
    C:\Windows\Menu Demarrer\Programmes\Demarrage\kak.hta

The "autoexec.bat" can be restored by copying the "C:\AE.KAK" to "C:\autoexec.bat".

Kak uses a known security hole in Microsoft Outlook Express to create the local HTA file.

If active scripting is disabled from Outlook Express, then the worm will not work.

Microsoft has more information on this problem available at: http://www.microsoft.com/Security/Bulletins/MS99-032faq.asp

They have also a patch to fix this problem at http://www.microsoft.com/security/Bulletins/ms99-032.asp

0
 

Author Comment

by:ArtG
ID: 2778472
Adjusted points from 146 to 196
0
 

Author Comment

by:ArtG
ID: 2778473
1cell,
Thank you for your quick response. I have done everything you said except copying the "C:\AE.KAK" to "C:\autoexec.bat".
autoexec.bat is a dos file and AE.KAK is a windows file. I don't know how to copy that.
Also I hope the last two columned instructions are the same, just one being French. I can't find any \Menu Demarrer\.
I opened the C\AE.KAK file in Notepad and it appeared to have something to do with my Asus cd rom drivers????
I still need your help.
Art

 
0
 
LVL 6

Expert Comment

by:1cell
ID: 2778509
reboot to DOS and type:

copy ae.kak autoexec.bat
0
 

Author Comment

by:ArtG
ID: 2779540
1cell,
Sorry about the delay, I had to go to work.
I managed to do all you said. KAK seems to be gone, no window popping up at startup.
There is still one loose end I would like to tie up. When I run msconfig and look at the startup menu there is a, "cAgOu listed in C:\WINDOWS\SYSTEM\9175A040.hta I currently have it unchecked/disabled. I cannot find it in C:\Windows\start menu\programs\startup or in the disabled startup file.

I did some reading and saw this connected with KAK somewhere and the file ending .hta makes me nervous.
What should I do about this? If anything?
Thanks
Art
PS actually it was you I read "Kagou-Anit" etc.
0
 

Expert Comment

by:Spindocta
ID: 2780972
The 9175A040.hta in your system directory is also part of the worm, it is the file referred to in the system registry. search for the filename string in the registry, and delete the key. Next del the 9175A040.HTA file. The most import part of the procedure is to install the microsoft patch. If you do not do this then you will reinfect your self if you view the original e-mail or any emails you have sent since.

With the patch installed you will recieve a message saying the control on the page are unsafe and windows will disable the control.

Finally, you are now in position to email everybody you have inadvertantly infect and send the patch on to them.

Although I don't believe any email with an attachment, will get much attention whilst the love bug is about!
0
 
LVL 6

Accepted Solution

by:
1cell earned 400 total points
ID: 2781633
Spindocta, as you are new here, welcome.  However, there is a certain unwritten protocol here which you should be aware of.

First, Experts here do not post answers unless they are absolutely sure that the answer will solve the problem.

Second, we don't post answers which contain information from comments given by others or post an answer when the thread is obviously under control and getting solved by another.

Posting an answer locks the question and further delays the questioner's solution.  

Please change your proposed answer to a comment and try to adhere to this protocol in the future.  Again, welcome!


Now, Art,

as fot MSCONFIG, what it shows you is that there is POSSIBLY still a reference to this file in the registry, system.ini, win.ini.

SO, what to do if anything, is this
1st, check the registry keys

HKCU/SOFTWARE/MICROSOFT/WINDOWS/CURRENT VERSION/RUN

HKCU/SOFTWARE/MICROSOFT/WINDOWS/CURRENT VERSION/RUN-

HKCU/SOFTWARE/MICROSOFT/WINDOWS/CURRENT VERSION/RUNRunonce

HKLM/SOFTWARE/MICROSOFT/WINDOWS/CURRENT VERSION/RUN

HKLM/SOFTWARE/MICROSOFT/WINDOWS/CURRENT VERSION/RUN-

HKLM/SOFTWARE/MICROSOFT/WINDOWS/CURRENT VERSION/RUNRunonce

for any reference to cAgOu or a file with an HTA extension.  if you find it, delete it.

If you don't find it, open the win.ini file and look for the run= or load= lines.  Again, if any reference to cAgOu or an HTA file is found, delete it.

Same with system.ini but I don't suspect it went that far.

Finally, once again, do a find files for cAgOu and delete any occurances along with any .HTA file.

If you don't find any of the above, you are clean and what you see in MSCONFIG is residue which we can get rid of.

Any questions, let me know.

0
 

Author Comment

by:ArtG
ID: 2782007
Adjusted points from 196 to 250
0
Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

 

Author Comment

by:ArtG
ID: 2782008
Thanks, I'll get right on it.
0
 

Author Comment

by:ArtG
ID: 2783248
1cell,
I am about half embarassed to say this but, I don't know how to check the registry keys. I can navigate around in the inner parts of my computer somewhat but, I have never needed to look at my registry.
sorry I am such a pain.
Art
0
 

Author Comment

by:ArtG
ID: 2785070
Adjusted points from 250 to 350
0
 

Author Comment

by:ArtG
ID: 2785071
1Cell,
I have more info. In Outlook Express I go to Tools-Options-Signatures- down at the bottom of the window I see a radio button labeled file and in the box near it it says "C:\WINDOWS\kak.htm
This doesn't look good.
Art
0
 

Author Comment

by:ArtG
ID: 2790128
I believe 1cell covered that;
"First, Experts here do not post answers unless they are absolutely sure that the answer will solve the problem.

Second, we don't post answers which contain information from comments given by others or post an answer when the thread is obviously under control and getting solved by another.

Posting an answer locks the question and further delays the questioner's solution."
0
 

Author Comment

by:ArtG
ID: 2790140
Adjusted points from 350 to 400
0
 

Author Comment

by:ArtG
ID: 2790141
1cell,
I just got Norton System Works today and it gave me a clean bill of health thanks to you.
I can't put into words how much I appreciate you and all the other experts here that have helped me. EE is the greatest site on the web.
Thank you so much 1cell!!
Art
Please see to it that these points are awarded to you.
0
 

Author Comment

by:ArtG
ID: 2797499
Sorry we lost our connection somehow. I posted back five times. You did however solve my problem for me. Norton system works just confirmed that. I am sure you helped me avoid a disaster I couldn't afford. Thank you so much.
Art
0
 
LVL 6

Expert Comment

by:1cell
ID: 2797520
Hey! I'm back, had problems with the ILOVEYOU virus at work and haven't been able to find much time for EE.  Anyway, glad I could help.
0

Featured Post

Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

Join & Write a Comment

If you Lost your Administrator password for Windows XP, Vista, or 7 this CD will help you reset the password to blank so you can log in. Once in you should change that blank password to something!! Download the ISO on this page http://www.spl…
Update 11/3/2014 - Although the below article will get you to relocate the WINSXS folder, Microsoft has finally released a utility to reduce the size of the WINSXS folder. For some reason, it's not that straightforward. It only works on Windows 2008…
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now