KAK Help Center
Also see: Hoax Encyclopedia | Virus Encyclopedia | Repair Center | News Briefs | Glossary | Infected Attachments | Prevention Center
What is Kak? Kak is a javascript worm spread via infected email that continues to enjoy an in-the-wild presence. Infecting only Windows 95/98 systems running Outlook Express 5.0, Kak will shut down users systems on the first day of each month if after 1700 (6 p.m. or later). A complete description can be found here.
How do I prevent Kak? As Kak continues worming its way into inboxes, users need to take certain precautions to defend against it. If you are a Windows 95/98 user running Outlook Express 5.0, install the Microsoft patch to prevent infection.
How to Remove Kak: If you are already infected with Kak, follow the steps below to clean your system and prevent reinfection.
- Set the Restricted Sites security zone to disable all ActiveX. (In fact, I would disable Java while there). Do this from Internet Explorer by selecting the following menu items:
Tools | Internet Options | Security | Restricted Sites | Custom Level
Note: Just setting the restrictions to High will not work. You must choose Custom Level and scroll through the list making the necessary changes. If you are unable to follow this step, it may be a good idea to ask an experienced friend for assistance.
- Open Outlook Express (if not already open) and add it to the Restricted Zone. Do this by choosing Tools | Options | Security and selecting Restricted Zone.
- Also from Outlook Express, go to Tools | Options | Signatures. If there are any signatures listed, click on them and choose remove. Do this for every signature listed. You will need to recreate them when finished disinfecting your system. You need to repeat this step for each identity used in Outlook Express. You can switch to the different identities by choosing File | Identities | Switch Identities
- Using Windows Explorer, or at a command prompt, browse to C:\Windows and delete the file: Kak.htm.
- Using Windows Explorer, or at a command prompt, browse to C:\Windows\System and delete any .hta files found that are preceded by a combination of characters A-F and 0-9 or are 4116 bytes in size. These are hidden files; in order to see them you will first have to change the hidden attribute. If using the DOS command prompt, use the ATTRIB command. If using Windows Explorer, go to Tools | Folder Options | View, and select "Show hidden files and folders".
- In the root of C:\, rename your AUTOEXEC.BAT file to AUTOEXEC.OLD and rename AE.KAK to AUTOEXEC.BAT. (Or you can edit the existing AUTOEXEC.BAT to remove the two lines pertaining to KAK).
- Delete KAK.HTA from the Windows\Startup folder.
- Reboot the PC. Watch the Windows startup sequence carefully. If you see "Driver Memory Error" appear very briefly in the taskbar, you missed a part of the above process and should repeat the steps again.
- If you do not follow this next step, reinfection is very likely to reoccur! Remember, Kak can infect simply by previewing a message. Your inbox is likely full of Kak infected emails. Before doing anything else, please install the patch from Microsoft to avoid reinfecting yourself or others.
Share your experience: Tell others how you fared with Kak by posting a message in the Antivirus Forum.
More than just viruses threaten your data. Let Jim Williams, your About.com guide to Internet & Network Security give you the low-down on cyberthreats.
