kakworm

Quite a nasty little email virus that I managed to recieve and pass on, detailed information is available from http://www.symantec.com/avcenter/venc/data/wscript.kakworm.html . As with most email viruses, it only affects Microsoft Outlook and Outlook Express users under Windows. But that's a great deal of victims.

The virus is written in a Windows Scripting format, and is readily visible if you view source, as it attaches itself to your signature.

I only realised I had it when a friend warned me about it when I sent it to him!

Ah, the lovely kakworm virus. I'm pretty sure this must be the most widespread virus in the UK, infecting offices and universities across the land.

Why? Because it only strikes if you reboot after 5PM, and even then only on the first day of the month. Take your average small business; virus scanner with dat files last updated in '96, Outlook Express on every machine, and working days which end at 5PM. The virus is never noticed, and as it automatically attatches itself to e-mails, spreads across the small business community like a rash. I must have cleared it out a million times when doing odd jobs (including once for my CompSci supervisor, who subsequently granted me a course transfer I almost certainly didn't deserve).

How to detect & clear Kakworm

First: do you have Kakworm? This is quite easy to tell. When booting your PC, you may have a window pop up at the end of boot saying "driver memory error" containing a bunch of gibberish characters. You've got kak. Other simple checks are to run a virus scanner, or in some cases simply look in the startup folder on the start menu (note: this latter method is not guaranteed).

Next: short, controlled bursts. Kakworm is easy to clear, but has to be cleared from quite a few places.:

• Start -> Programs -> Startup Look for kak.hta or anything containing the word kagou. Vape it, and empty the recycle bin (if you don't shift+del everything)
• Run a find files or folders on *.hta, then kill anything containing the words kak or kagou. To be honest, you'd probably be safe killing all .hta files, as I've never seen the HTML-Application format used for anything other than virii.
• Run a find files or folders on *kak*.* and *kagou*.*, kill anything found.
• The scariest bit (for inexperienced users). Fire up regedit. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Check the contents of the Run, RunOnce and RunOnceEx folders, and delete any keys containing kagou, kak or .hta. Alternatively, for Win98/ME users, you can simply disable the keys using msconfig.
• Finally, some variants also add entries to the autoexec.bat file, so you may want to check this. I presume you simply delete all lines containing the standard suspicious filenames, but I've personally not encountered this variant.

Now reboot. Then install the previously downloaded patch (or alternatively, download the patch now.) DO NOT read your e-mails using any MS e-mail reader, or Calypso, until the patch is installed. Once patched, reboot again, and you should be safe.

Try viewing the source of any HTML e-mails you've received, and look for the lines "driver memory error" and "not today! Kagou Anti-Microsoft" (or somesuch) hidden in the mishmash of HTML. Then either mail the person to apologise for sending them the virus, or telling them to burn in hell for sending it to you <g>.