Instructions for disinfecting VBS/Kakworm
How can I prevent my computer from becoming infected?
You can
protect your computer from VBS/Kakworm (and similar viruses) by downloading the
patch from Microsoft Security Bulletin MS99-032: http://www.microsoft.com/technet/security/bulletin/ms99-032.asp.
This should be installed before you disinfect the computer to prevent reinfection.
Sophos Anti-Virus for Windows 95/98/Me has found the VBS/Kakworm virus on
my computer. What should I do?
VBS/Kakworm creates a number of files
which can be detected and removed using Sophos Anti-Virus.
At the Windows taskbar, select Start|Programs|Sophos Anti-Virus|Sophos Anti-Virus. You will see the Sophos Anti-Virus screen.
In the window that lists drives on your computer, look for C:\. Check that the indicator light to the left of C:\ is lit up. If necessary, click on the light to turn it green.
Check that File types is set to Executables. If it is not, click the Edit button and under File types select Executables. Click OK.
Now tell Sophos Anti-Virus what to do with any infected files. From the menu bar, select Options and then Configuration.
You see the configuration screen. There are three tabbed pages. Select the Action page.
Check Disinfect Boot Sectors, Disinfect Documents and Infected Files. Under Infected Files, choose Delete as the action. Click OK to return to the main screen.
At the main Sophos Anti-Virus screen, click the GO button.
Sophos Anti-Virus checks your computer for viruses.
When infected items are found, you are prompted to delete the file(s). You can safely delete any files infected with VBS/Kakworm. This is so because VBS/Kakworm itself has created these files: it does not spread from file to file but from machine to machine by email (it is a "worm"). If you find a VBS/Kakworm virus fragment or Mid/Kakworm do not delete it, instead contact Sophos Technical Support.
You have now disinfected your computer.
Go back to the Action page and uncheck Infected Files. This avoids the deletion of documents that could be disinfected.
How can I restore the settings that VBS/Kakworm has changed?
VBS/Kakworm makes the following changes:
- Creates registry entries that refer to a file in the
C:\WINDOWS\SYSTEM directory called xxxxxxxx.HTA, where xxxxxxxx are
random characters:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunThese entries can be deleted using REGEDIT. Do not attempt to do this unless you understand how to use REGEDIT.
- Copies the C:\AUTOEXEC.BAT file to a file called C:\AE.KAK and
adds the following lines to the AUTOEXEC.BAT file (or overwrites
the file with them):
@echo off>C:\Windows\STARTM~1\Programs\StartUp\kak.hta
del C:\Windows\STARTM~1\Programs\StartUp\kak.htaThese lines can be deleted using an editor. Alternatively C:\AE.KAK can be renamed to C:\AUTOEXEC.BAT though any changes which have been made to AUTOEXEC.BAT since the computer was infected will be lost.
- Replaces the Outlook signature with a link to
C:\WINDOWS\KAK.HTM
This link can be removed using Outlook Express. Select 'Options...' from the 'Tools' menu, then select 'Signatures' page. Highlight the link to C:\WINDOWS\KAK.HTM and remove it.
