Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Wscript.Kakworm Removal Tool

Wscript.Kakworm Removal Tool

July 26, 2006
Download Removal Tool
NOTE: There are two versions of this worm: Wscript.KakWorm and Wscript.KakWorm.B. The tool referenced on this page is only for the Wscript.KakWorm.
Please go here for the Wscript.KakWorm.B removal tool.

How to obtain and use the Wscript.KakWorm removal tool
To use the tool, we recommend you download the Fixkak.exe file to your Windows desktop or to a folder on your hard disk. After the file finishes downloading, follow these steps:
Close all programs.
Double-click Fixkak.exe to run it. A removal tool dialog box will appear.
Click Remove. One of the following three messages will appear after you click Remove:
"Your computer is not infected." (Your system is safe, and you do not need to do anything.)
"Your computer has been successfully restored." (The worm has been removed, and your system is now free of the damaged done by the worm.)
"An error occurred during execution of this program." (The removal tool has encountered a problem that it cannot fix. You will need to manually remove the virus. Refer to this page for manual removal instructions.)

What the tool does
The Wscript.KakWorm removal tool makes the following changes to the system:
It searches for the file Kak.hta that the worm placed in the StartUp folder. If the file is present and the CRC (cyclic redundancy check) matches, it deletes this file. (A CRC is a number derived from a block of data that detects corruption when data is transferred.)
It checks for the cAgOu value in the following registry key:


If this value is present, it is deleted.

The tool searches all of the keys under:

HKEY_CURRENT_USER\Identities\[SUBKEYS]\Software\Microsoft\Outlook Express\5.0\Signatures

where [SUBKEYS] represents all of the possible subkeys of HKEY_CURRENT_USER\Identities

It searches for the Default Signature value in the Signatures key for Outlook Express 5.0. If present, this value is deleted.
It searches for and deletes Kak.htm from the Windows folder.
It restores the original Autoexec.bat file.
If present, the tool will delete the \00000000 subkey that the virus creates at:

HKEY_CURRENT_USER\Identities\???\Software\Microsoft\Outlook Express\5.0\Signatures\00000000

NOTE: Because the worm does not save this information, the tool cannot restore the default signature for Outlook Express if one existed before Outlook Express was infected.

Information on Chktrust
To verify the digital signature of Fixkak.exe using chktrust.exe:
Go here
Download and save chktrust.exe into the same folder where you saved Fixkak.exe.
Click Start, point to Programs, and click MS-DOS Prompt.
Change to the location where Fixkak.exe and Chktrust.exe are stored. For example, if the files were saved to the Windows desktop, type:

cd \windows\desktop

Type the following command to check the digital signature of Fixkak.exe:

chktrust -i fixkak.exe

If the digital signature is valid, you will see a message similar to the following:

"Do you want to install and run "Fix Kak Utility" signed on 7/28/2000 5:38PM and distributed by Symantec Corporation."

The date and time that are displayed in this message will be adjusted to your time zone if your computer is not set to the Pacific time zone. For example, if you live in the Eastern time zone the date and time you will see will be 7/28/2000 8:38PM.
If you are using Daylight Saving time, the time that is displayed will be exactly one hour earlier.
If this dialog box does not appear, there are two possible reasons:
The tool is not from Symantec. Unless you are sure that the tool is legitimate, and that you downloaded it from the legitimate Symantec Web site, you should not run it.
The tool is from Symantec, and is legitimate. However, your operating System was previously instructed to always trust content from Symantec. For information on this, and how to view the confirmation dialog again, read the document How to restore the Publisher Authenticity confirmation dialog box.

Click Yes to close the Chktrust dialog box.
Type exit and then press Enter.