Computer Security: How to Remove the Wscript.KAKworm

Learn how to remove the Wscript KAK Virus Worm from your Windows computer

The Wscript KAK Worm is a virus worm that only attacks computers that run Outlook Express. Downloaded as an executable file (wscript.exe), the wscript worm uses a security vulnerability in Outlook to attach itself to every email that is sent from the infected computer.

How the Wscript.KAKworm Virus Worm Self-Installs

Written in Javascript, the virus will attack the English and French version of Windows 95 and 98 if Outlook Express 5 is installed. It can easily infect a system when an email message is read or previewed because the virus is in the HTML of the email message. Once the message is opened, the worm will infect the computer.

When a computer is infected, an error message will be opened on the first day of every month stating a Driver Memory Error. The worm will create a file called a KAK.HTM in your Windows directory. After that, the worm will add a few lines of script on the AUTOEXEC.BAT file. The virus will also make changes to the Windows registry.

How to Remove the Wscript.KAK Worm

This tutorial will show you how to remove the Wscript.KAK worm from your computer. NOTE: you will need to delete several files from your computer and make changes to the Windows Registry. If you are not comfortable with this, you must seek professional help.

1. Clean out your Inbox by deleting as many email messages as possible. This lowers the risk of re-infecting your computer once the worm is uninstalled.

2. Click on your Start button and then select “Search” to open the search tool. Use this tool to locate the autoexec.bat file on your computer. Open the file and delete the following lines:

@echo off>C:\Windows\ STARTM~1\Programs\ StartUp\kak.hta

del C:\Windows\ STARTM~1\Programs\ StartUp\kak.hta

TIP: alternatively, just delete the autoexec.bat file entirely and then rename the file called ae.kak to autoexec.bat.

3. After fixing the autoexec.bat file, you will need to delete the kak.hta file from the Windows startup group and the directory. You will also need to delete the temporary HTA file that was created in the system directory (C:\windows\system). This filename will be similar to 62F03748.hta, but the temporary filename will never be the same. Simply delete all files with the HTA extension.

4. Click the Start button and then Run. Type regedit and hit Enter. Once the Registry Editor is open, delete these two registry entries:

HKEY_LOCAL_ MACHINE\SOFTWARE\ Microsoft\Windows \Currentversion\ Run\ cAg0u

HKEY_CURRENT_ USER\Identities\ Software\Microsoft\ Outlook Express\5.0\ signatures\Default Signature


Add a comment

0 answers +0 votes
Post comment Cancel