|
On the 1st January, which is ominous, Claire Kidd e-mailed ICPUG with the following problem.
I am having a problem when I start up my PC and would be very grateful for any help.
In November I downloaded a screensaver from the Woolworths site but after uninstalling it I continued to get a message at start up that the PC could not import the C:\kak.exe file and that there may be a problem within the registry. I have since deleted this file but still get the Driver Memory Error message. Today this message has appeared along with the following warning : Kagou - Anti - Kro$oft says not today! If I click on OK under this message it shuts down my PC.
I can use the PC as long as I leave this message on screen and have updated my Norton Anti-Virus and scanned the HDD but this still appears. I'd be very grateful if anyone could email me a possible answer to this problem.
A summary of my e-mails that followed this request is given below:
You have all the signs of the Kak Worm Virus.
The Kak Worm transmits via e-mail, in particular using versions of Internet Explorer.5/Outlook Express 5, (not earlier versions), and it affects Windows 95/98 systems although it will transmit via NT.
UNTIL YOU HAVE ERADICATED THE PROBLEM DO NOT SEND E-MAIL TO ANYONE WHO USES INTERNET EXPLORER THAT HAS NOT HAD THE MICROSOFT PATCH INCLUDED.
I think the best way I can help you is to point you at some web pages which explain the problem and tell you how to solve it. So here goes.
General description of the Worm and pointer to repair tool:
http://www.symantec.com/avcenter/venc/data/wscript.kakworm.html
More detailed description and how to repair manually:
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000020318071406
Detail and how to remove variant B of the Kak Worm:
http://www.symantec.com/avcenter/venc/data/kak.worm.b.removal.html
www.commandcom.com/virus/kak.html mentions one very useful additional point.
I e-mailed Claire some more information
It is important to delete your e-mails that you have stored in your Inbox / Sent items / Deleted Items folders and any others you might have created. You do not know the original source of the infection and you do not know how many e-mails you have sent on that have been infected. If they lurk in these folders and you re-read them at some point you may infect your PC again. The same goes with friends you regularly e-mail. Get them to check for infection or else their next message to you may cause another outbreak!
It looks like you have the original Kak version A. This triggers on the 1st of the month as yours did.
Viruses like Kak con be stopped from entering your PC if you upgrade IE5/OE5 with the service pack 1 available from the Microsoft site (and no doubt on every magazine disk eventually).
After a little break Claire came back to me again with the following:
I downloaded the fix you recommended and ran it and it said it was successful and that my computer is no longer infected. However when I restart my computer I get a message saying it cannot import the C:\windows\kak file. When I click OK this message disappears without shutting down my PC.
When I look through Windows Explorer the file is still there. I have looked in the properties box and the 'Hidden' box is checked. I have unchecked it and deleted the file manually, which sends it to the recycle Bin and I empty that too. Once again it reappears when I restart the PC.
During start up my Norton Anti virus runs and I have also scanned the file separately with Norton and deleted the file that way but alas it keeps returning.
My final message to Claire was:
From all the stuff I have read the only reason I can see that the file keeps reappearing is that you are re-infecting yourself. Just seeing an infected e-mail in the preview pane is sufficient. I think you have got to be ruthless. Take whatever info you need from any e-mails stored on the system. (You can save as text files if you like). Then delete all your e-mails and then delete them from the Deleted Items folder. Only then can you be certain there is nothing to re-infect you.
Now shutdown and turn your PC off. Bring it back up and run the removing tool.
Without doing anything else shutdown again and turn your PC off. Bring it back up and see if it is OK. If you still have a problem then follow the manual fix procedure.
After following the manual fix shutdown and turn PC off. Bring it back up and check it is OK.
It should now be fixed. Only receiving infected e-mails from your friends could start it off again. If it isn't fixed then you are going to have to disable Winscript file execution or uninstall it altogether. See the links in the Symantec source for this. Do that and it will be impossible to get
reinfected. Follow the disinfecting procedure again to remove it for good.
One final thing. If the kak file stays deleted but you still get the file cannot be imported message pay particular attention to the notes on altering the AUTOEXEC.BAT file and the Registry, because it is here that it is being called from.
That was the last of the conversation thread with Claire. This episode shows two things. First, that despite the fact the Kak virus has been around a while and the user had an anti-virus package it still managed to get through the defences! Second, once viruses have been caught they are very difficult to get rid of. They are also very disruptive by forcing you to clear out your own files and possibly those of your correspondents.
A sober warning for Claire on the first day of 2001.
|
