[Bytes Link logo]

What the Heck is Going On?

by Louise Schultz, NOCCC and Menifee Valley Computer Club - February 22, 2001 at 13:49:39:

Seven or eight months ago I started getting a blank window when I booted up. Title bar said something about a kak.hta and there was a brief appearance on the taskbar of the phrase “Driver Memory Error.” Since I tinker around with the machine a lot, I figured something I loaded then unloaded had left behind this debris. Taking a logical approach to an unwanted phenomenon, I went to the Startup folder and deleted the shortcut causing the appearance of the window. Using Find, I looked for files or folders with the string “kak” and deleted same. Still, an empty kak window. I had the Kak worm. Symantec offers a short program and the description of the steps it takes to get rid of the worm, including deleting several entries in the Registry. The worm rides on e-mail text (it’s not an attachment). So I alerted my e-mail recipients and offered to send the program down to them if they wanted.

Worms don’t out-and-out destroy anything — YET. So my non-techy friends said not to bother, although one had also been getting that driver memory error message.

About two months ago I started getting the window that wants a password —which I don’t use — so I cancelled the window without giving it one. It’s supposed to stop asking when you don’t enter one. But it didn’t stop asking. It even asked when I’d get on the Internet. I even gave the name “NO NAME” with a blank password. (Aside to those who told me to merely delete the *.pwl” files: that didn’t fix it.)

About seven in the evening on February 1, my neighbor came by to ask what was causing the red window on her screen. Not remembering right off where red windows come from, I went over to see what was going on. Turned out merely to be Norton finding lost clusters — apparently — so we let “him” fix the problem. The boot apparently continued to the point of releasing the cursor on the desktop. Then a window pops up with the message “Kagou-Anti-Kor$oft says not today” and Windows shuts the machine down.

Cold boots (powering down) did not get us anywhere so the next step was to get onto the Symantec site using my machine. “Kagou-Anti-Kor$oft” is an alias for another variant on the Kak worm that is triggered at 5 p.m. on the first of the month. Consider the likelihood of this lock-up occurring on a machine in a business. That machine would be all closed down and the worm remains, to be sent along with tomorrow’s e-mails because, as with her machine, there was no problem on the .second of the month!

So, the next afternoon, I ran the Symantec program on her machine. It found and deleted the worm and reported “Your computer is not infected.” I mentioned this series of events to several friends. Celia Douglas belongs to the San Diego Computer Club, whose newsletter “Drive Light” had a review of a free anti-virus program. Celia doesn’t have an anti-virus program and wondered whether this free one was worthwhile. I’m generally skeptical of “free stuff.” This one is offered by Computer Associates Inc. Their site lists a full range of (generally) business and corporate protection programs.

Celia downloaded the (about 1.8 megs) program and was informed that it had found and deleted the kak worm. I downloaded it and was informed of another “dll” (data link library) file, part of the Kak worm, that it found and deleted. So why didn’t my Norton anti-virus program or this special “fixkak.exe” from them find and clean it out?

The denouement is that with that “dll” gone, I no longer get nagged for a password. Consider the implication of this in light of the worm that was discovered this week (claiming to be a photo of a teen sports figure). This latest worm is set to send information BACK to the originator, in the Netherlands, on a specific date next year. That message could include passwords collected when users who use passwords respond to the entry window that I refused to use. That is, if you regularly use a password, you would respond to that variant of the Kak worm, which then could hang onto and transmit the information. I’m not saying the person who is writing and rewriting the Kak worm is the one who created this new worm. Rather, it is obviously so easy to pry into any computer — private individual, business, or government — that runs Windows and/or the Microsoft browser, we should all be scared — very scared.



Return to Articles Listing
Home | About NOCCC | Special Interest Groups | Calendar | Membership Information
Meeting Location | Links | Orange Bytes Newsmagazines | Classified Ads | Search the Web

[------STRIPE-----]


Site Disclaimer Suggestions? E-Mail to webmaster@noccc.org
Content suggestions? editor@noccc.org
Last update: 2/22/2001

Copyright © 1995-7 by North Orange County Computer Club. All rights reserved. Articles by NOCCC authors may be reprinted by other user groups without permission provided they are unaltered and the publication acknowledges the author thereof and NOCCC. Articles contained herein by authors from other organizations retain their original copyright.
Site assistance by CitiVU.