The Wscript KAK Worm is a worm/virus that attacks systems using Outlook Express. It uses a known security vulnerability to attach itself to every email sent from an infected system. It is written with Javascript and it attacks both the English and French versions of Windows 95/98, if Outlook Express 5 is installed.

What makes this worm unique is its ability to infect a system by someone simply reading or previewing an email message. The worm hides in the HTML of the email itself. When the message is previewed or opened by the recipient, the worm automatically takes control and infects the computer.

If neither Outlook Express nor MS Internet Explorer 5.0 are installed, the worm is not able to infect the machine. The worm has another potential side effect as well. On the 1st day of any month and the hour is 5:00pm, the following message is displayed and Windows is sent a command to shutdown.
"Kagou-Anti-Kro$oft says not today! " You may also see a "Driver Memory Error" occur when starting Windows.

What The Worm Does

Upon infection, the worm places a file called KAK.HTM in your C:\Windows directory and a temporary file with an .HTA extension in your C:\Windows \SYSTEM directory. It also places a file called KAK.HTA in your Startup directory.

Then the worm adds the following lines into your AUTOEXEC.BAT file and renames the original autoexec file to AE.KAK.

@echo off > C:\Windows\STARTM~1\Programs\StartUp\kak.hta
del C:\Windows\STARTM~1\Programs\StartUp\kak.hta

Next the worm adds the following changes into the Windows Registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \Currentversion\Run\cAg0u

This cAg0u file points to the temporary .HTA file dropped into the Windows\System directory earlier. The worm also adds the following line into the Windows Registry.

HKEY_CURRENT_USER\Identities\Software\Microsoft\Outlook Express\5.0\signatures\Default Signature

This default signature points to the KAK.HTM file loaded into the Windows directory. Every email that is sent after infection has this KAK.HTM embedded in the HTML of the email which spreads the worm to others.

Disclaimer

PLEASE: Do not try these steps if you are not comfortable deleting files. I claim no responsibility for you not understanding these steps or following them correctly.

Before cleaning, its a good idea to delete the actual emails in your Outlook Express program that have the virus. Otherwise when you preview the message again, the system will reinfect itself.

Once infected, do not reboot or restart your computer before cleaning, otherwise the infection will return.

Delete the following:

1) Delete the added lines in your AUTOEXEC.BAT file

@echo off > C:\Windows\STARTM~1\Programs\StartUp\kak.hta
del C:\Windows\STARTM~1\Programs\StartUp\kak.hta

or delete the autoexec.bat file and rename the AE.KAK file to AUTOEXEC.BAT

2) Delete the KAK.HTA file from the Windows Startup group as well as the c:\windows directory. Also delete the temporary .hta file which was placed in the c:\windows\system directory. This file generally has a name like 74F03760.hta. Although the temporary filename will never be the same, just delete the .hta files in the c:\windows\system directory.

3) Delete the 2 added registry entries

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \Currentversion\Run\cAg0u

HKEY_CURRENT_USER\Identities\Software\Microsoft\Outlook Express\5.0\signatures\Default Signature

(Be sure the default signature entry points to the KAK file)

Although there are no guarantees that the worm will reappear by previewing another message. The above steps should disable the worm.

Download and Install the Microsoft patch for the security vulnerability that allows this worm to invade your system.

You should also update or purchase a new anti-virus program to ensure the system will not be infected again. The worm appeared on Dec 27, 1999 in the wild , so any antivirus signature earlier than this will not detect the worm.