Schwaderer: Courtesy Virus Warning For Windows Users

[WILLIAM D SCHWADERER <WDAVID@xxxxxxxxxxx>]

During the past few weeks, I have used this mailing list to send messages.
If you use windows and received messages from me, you may wish to know I
today found it necessary to clean my system of a virus.  I think my system
is now clean and deeply thank McAfee Associates for their assistance.

Details follow, sorry for the long post and any inconvenience.    Believe I
too am inconvenienced.

===========================

Thank you for contacting McAfee Technical Support. We've attached the
document you requested below.

If this document does not answer your questions please refer to the
following website: http://www.mcafeehelp.com.  You will be able to search
for a solution or information regarding your program.  If you do not find
what you are searching for, you will be given other support options such as
Email Express, Forums, and Phone support.

Manual Removal of WScript/Kak.worm


Boot into Safe Mode

1.  Shut the computer down so the power is off.
2.  Wait 20 seconds or so.
3.  Turn the computer on and immediately begin pressing the F8 key on the
keyboard once every second repeatedly.  Do this until the Windows Startup
Menu appears.  If you get a keyboard error, press F1 to resume and then
continue pressing the F8 key once every second.
4.  Select option #3 (Safe Mode) from the Windows Startup Menu, then press
the Enter key on the keyboard.
5.  Windows will then boot into Safe Mode.  NOTE: This may take longer than
a normal boot.
6.  At the end of the boot process a dialog box will appear informing you
that Windows is in Safe Mode.  Click OK on this dialog box.
7.  Windows is now in Safe Mode.


Backup the Registry

IMPORTANT: Before beginning to manually remove KAK from your computer make
sure to backup the Registry. This will safeguard your Windows installation.
You can recover your Windows configuration by restoring the backup if an
error occurs during the removal process.

1.  Click on the Start button.
2.  Click on Run.
3.  Type REGEDIT in the Open field.
4.  Click the OK button. The Registry Editor window will appear.
5.  Click on the Registry pull-down menu.
6.  Click on Export Registry File.
7.  In the File Name field type "backup" (without the quotation marks).
8.  In the Save In field be sure that the desktop is selected (if it is not,
click on the pull down menu and select "Desktop").
9.  Select "All" in the Export Range group box.
10. Click on the Save button. The registry will then be saved.
11. Click the X in the top right corner to close the Registry Editor.

NOTE: You now have a backup of your Registry saved as "backup" on your
desktop.  If you need to restore the Registry you can double-click on the
"backup" file located on the desktop. Once these instructions are complete
and everything is running properly be sure to delete this backup file by
right-clicking on it then left-clicking on Delete from the pop-up menu that
appears.  This will ensure that the old registry is not accidentally
restored once KAK has been removed.


Edit the Registry

1.  Click on the Start button.
2.  Click on Run.
3.  Type in REGEDIT then click the OK button.  The Registry Editor will then
appear.
4.  Double-click on the HKEY_LOCAL_MACHINE folder on the left side of the
screen.
5.  Double-click on Software.
6.  Double-click on Microsoft.
7.  Double-click on Windows.
8.  Double-click on CurrentVersion.
9.  Single-click on the Run folder so it is highlighted.
10. On the right side of the screen, under the Name column, locate cAgOu and
single-click on it so it is highlighted.
11. Press the Delete key on the keyboard to remove this entry.
12. Close the Registry Editor by clicking the X in the top right corner.


Edit the AUTOEXEC.BAT File

1.  Click on the Start button.
2.  Click on Run.
3.  Type in SYSEDIT then click the OK button.
4.  The System Configuration Editor window will appear. The front window
will be labeled C:\AUTOEXEC.BAT.
5.  Delete the following lines, which are near the top of the
C:\AUTOEXEC.BAT window, by highlighting the line and then pressing the
Delete key on the keyboard:
C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\KAK.HTA
DEL C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\KAK.HTA
6. Close all open windows until you are back on the desktop.  You will be
asked if you wish to save changes.  Answer Yes.


Change the Folder View Options

(This is necessary to find the files in the 'Delete the KAK Related Files'
section)

1.  Double-click on the My Computer icon on the desktop.
2.  Double-click on the C: drive.
3.  Click on the View pull-down menu then click on Options (or Folder
Options).  The Folder Options dialog box will then appear.
4.  Click on the View tab.
5. Select the 'Show all files' option.
6. Uncheck 'Hide file extensions for known file types'.
7. Click the Apply button followed by the OK button.
8. Close the remaining open windows until you are back on the desktop.


Delete the KAK Related Files

1.  Click on the Start button.
2.  Highlighted Find then click on Files or Folders.  The Find Files dialog
box will then appear.
3.  Make sure the (C:) drive is selected in the Look In field so the entire
C: drive will be searched.
4.  Type in KAK.HTM in the Named field then click the Find Now button.
5.  The computer will then search the hard drive for the file.  When the
file is found it will be displayed towards the bottom of the dialog box.
6.  Once the file is found right-click on the icon located to the left of
the file's name.  A pop-up menu will appear.
7.  Left-click on Delete.  Answer Yes to any prompts asking if you are sure
you would like to delete the file.
8.  Now type in *.HTA in the Named field then click the Find Now button.
The computer will then search the hard drive for all files that end with
.HTA.  Each file will be listed towards the bottom of the dialog box.
9.  When the computer has finished searching delete each of the listed files
by right-clicking on the icon to the left of the file's name, and then
left-clicking on Delete from the pop-up menu that appears.  Do this with
each listed file until no files remain.
10.  Once the files have been deleted click the X in the top right corner to
close the Find Files dialog box.
11. Right-click on the Recycle Bin on the desktop.  A pop-up menu will
appear.
12. Left-click on Empty Recycle Bin.  Answer Yes to any prompts asking if
you are sure.
13. Restart the computer.  It will automatically boot back into normal
Windows.

You are now clean from the KAK worm.


Prevent Future Infections of the KAK Worm

The KAK worm works by exploiting vulnerabilities in ActiveX controls.  The
vulnerabilities exploited by this worm have been addressed by Microsoft with
a security patch.  Installing this security patch will prevent the execution
of this worm under default security settings.  McAfee recommends applying
this patch for all computers running Internet Explorer.  Download this patch
by going to http://www.microsoft.com/technet/security/bulletin/ms99-032.asp.


McAfee Technical Support

-----Original Message-----
From: wdavid@xxxxxxxxxxx [mailto:wdavid@xxxxxxxxxxx]
Sent: Friday, April 28, 2000 8:55 AM
To: NAI_Emails
Subject: Request for Agent Assistance


Submitted from McAfee Online Help Site

Customer Path: MainPage > Step2 > Step2 > Step3 > Step2 > Step3 > Results
> EmailExpress > Emailed TechSupport:

Question(s) asked during this session:
Kagou

Name:    w david schwaderer
Phone:   408..
Email:   wdavid@xxxxxxxxxxx
System:  Windows98
Product: VirusScan
Version: 1999

Description:
I am regularly getting the WIN98 complaint "kak.reg not found" at boot
time.  In poking around, it appears that kak files are associated with
McAfee virus scanning on my system.  I do not know if this is normal, but
the kak file I found has the following:

if(d.getDate()==1 && d.getHours()>17)
{
    alert('Kagou-Anti-Kro$oft says not today !');
    wsh.Run(wd+'RUNDLL32.EXE user.exe,exitwindows');
}
This looks like a test which can exit windows.

Has your software become infected on my system or is this part of your
software...?

I can send the text kak file which I have explored to some degree and
formatted to make it easier to read.

Let me know how to do this if you want it...