MORE INFORMATION

This worm appends itself to the end of legitimate outgoing e-mail messages as a signature, and then it enters your computer through a hole in Outlook Express e-mail security, Scriptlet.Typelib. When you receive an infected e-mail message, the worm, Kak.hta, automatically copies itself to a startup folder on your computer if you are using either the French-language or English-language versions of a Microsoft Windows operating system. The Kak.hta file is copied to your computer without your knowledge because you do not have to open an attachment for it to run; if you simply receive and then read the e-mail message, the worm is copied to your computer.

Files with the .hta file extension are run by Microsoft Internet Explorer and Netscape Navigator. You must restart your computer for this file to run. After the worm runs, it modifies the following registry key in order to add its own signature file, the infected Kak.hta file

where Identity is the name of your identity. When the worm modifies the registry key, all outgoing e-mail messages are appended with the worm. In addition, the following registry key is added to your computer that causes the worm to run each time that you restart your computer:

On the first day of the month, at 5:00 P.M., you receive the following message and Windows is sent the command to shut down:

How to Remove the Worm

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To remove the worm:

1. Click Start, point to Find, and then click Files or Folders.
2. In the Named box, type

   kak*.*

   and then click the drive letter for your hard disk in the Look in box.
3. Click to select the Include Subfolders check box, and then click Find Now.
4. When you see the Kak.hta file, and all other Kak-related files in the Search Results box, right-click the files, click Delete, and then close the Search Results dialog box.
5. Click Start, click Run, type regedit in the Open box, and then click OK.
6. Locate the following registry key:

   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\cAgOu

7. Right-click the registry key, click Delete, and then close Registry Editor.

For more information about the security patch and to download the security patch, please see the following Microsoft Web site:

For additional information about how to obtain the Outlook E-mail Security Update, which prevents the KakWorm virus from spreading in Outlook, click the article numbers below to view the articles in the Microsoft Knowledge Base:

NOTE: Microsoft does not offer software for computer virus detection or removal. If infection by a virus is suspected or confirmed, the recommended course of action is to obtain current anti-virus software from a vendor commercially involved in virus detection and removal. For a list of suppliers (vendors) of anti-virus software, please see the following article in the Microsoft Knowledge Base: