Microsoft KB Archive/262165

= OLEXP: Security Patch Available for the KakWorm Virus =

Article ID: 262165

Article Last Modified on 1/27/2007

-

APPLIES TO


 * Microsoft Outlook Express 5.5
 * Microsoft Outlook Express 5.01 Service Pack 2
 * Microsoft Outlook Express 5.0
 * Microsoft Outlook Express 4.01 Service Pack 1
 * Microsoft Outlook Express 4.01 Service Pack 2
 * Microsoft Outlook Express 4.0
 * Microsoft Outlook Express 5.5
 * Microsoft Outlook Express 5.01 Service Pack 1
 * Microsoft Outlook Express 5.0
 * Microsoft Outlook Express 4.01 Service Pack 1
 * Microsoft Outlook Express 4.01 Service Pack 2
 * Microsoft Outlook Express 5.5
 * Microsoft Outlook Express 5.01
 * Microsoft Outlook Express 5.0
 * Microsoft Outlook Express 4.01 Service Pack 1
 * Microsoft Outlook Express 4.01 Service Pack 2
 * Microsoft Outlook Express 4.0

-



This article was previously published under Q262165



For information about the differences between Microsoft Outlook Express and Microsoft Outlook e-mail clients, click the following article number to view the article in the Microsoft Knowledge Base:

257824 OL2000: Differences Between Outlook and Outlook Express

IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SUMMARY
This article describes the security patch that is available for protection against the e-mail virus worm know as Wscript.KakWorm, Vbs.Kak.Worm, and Kagou-Anti-Krosoft. After you install this security patch, the virus does not work automatically.



MORE INFORMATION
This worm appends itself to the end of legitimate outgoing e-mail messages as a signature, and then it enters your computer through a hole in Outlook Express e-mail security, Scriptlet.Typelib. When you receive an infected e-mail message, the worm, Kak.hta, automatically copies itself to a startup folder on your computer if you are using either the French-language or English-language versions of a Microsoft Windows operating system. The Kak.hta file is copied to your computer without your knowledge because you do not have to open an attachment for it to run; if you simply receive and then read the e-mail message, the worm is copied to your computer.

Files with the .hta file extension are run by Microsoft Internet Explorer and Netscape Navigator. You must restart your computer for this file to run. After the worm runs, it modifies the following registry key in order to add its own signature file, the infected Kak.hta file

HKEY_CURRENT_USER\Identities\ \Software\Microsoft\Outlook\Express\5.0\Signatures

where  is the name of your identity. When the worm modifies the registry key, all outgoing e-mail messages are appended with the worm. In addition, the following registry key is added to your computer that causes the worm to run each time that you restart your computer:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\cAgOu

On the first day of the month, at 5:00 P.M., you receive the following message and Windows is sent the command to shut down:

Kagou-Anti-Kro$oft says not today!

How to Remove the Worm
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To remove the worm:  Click Start, point to Find, and then click Files or Folders. In the Named box, type

kak*.*

and then click the drive letter for your hard disk in the Look in box. Click to select the Include Subfolders check box, and then click Find Now. When you see the Kak.hta file, and all other Kak-related files in the Search Results box, right-click the files, click Delete, and then close the Search Results dialog box. Click Start, click Run, type regedit in the Open box, and then click OK. Locate the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\cAgOu

</li> Right-click the registry key, click Delete, and then close Registry Editor.</li></ol>

For more information about the security patch and to download the security patch, please see the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/ms99-032.mspx

For additional information about how to obtain the Outlook E-mail Security Update, which prevents the KakWorm virus from spreading in Outlook, click the article numbers below to view the articles in the Microsoft Knowledge Base:

262631 OL2000: Information About the Outlook E-mail Security Update

262617 OL98: Information About the Outlook E-mail Security Update

NOTE: Microsoft does not offer software for computer virus detection or removal. If infection by a virus is suspected or confirmed, the recommended course of action is to obtain current anti-virus software from a vendor commercially involved in virus detection and removal. For a list of suppliers (vendors) of anti-virus software, please see the following article in the Microsoft Knowledge Base:

49500 List of Anti-Virus Software Vendors

Keywords: kbhowto KB262165

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.