How to Destroy and Wall Out Kak
A worm is a form of malware that spreads itself through networks, as opposed to a virus that infects files or disks and expects these to be spread by users.
HTML stands for HyperText Markup Language, and is the file format used to build web pages, Windows HTML Help files (in modified form), and as a way of adding eye-candy such as bold, italics and embedded graphics to email messages.
Kak is a worm written in a scripting language supported as an extension to HTML. Such scripts can be embedded within HTML files and will usually be executed automatically by web browsers and other HTML interpreters.
Kak is written to exploit this behavior, with Outlook and Outlook Express as the target. With default settings, these programs will run the embedded Kak script within HTML message text (no attachments required) if the message is read, or even if the message is previewed as you flit through the subject headers in the mailbox.
To curb this insanity, you need to:
Simply removing the malware is not enough; re-infection is simply a preview of an existing infected message away. You should break the mechanism used by Kak and similar malware to attack your system, and ideally take steps to ensure you do not egress malicious material from your email program.
Destroying Kak
Start Outlook Express (or Outlook) and examine the "signature" feature there. You will see the signature will be set to use a file typically called Kak.hta; set this not to use the file, and then find that file and rename it to (say) KAK.HT! so that it cannot function as an HTML file. You will need to repeat this process for each user identity within Outlook and Outlook Express.
Next, edit C:\AutoExec.bat and look for a reference to Kak there; comment it out by preceding the line with ":: " (two colons and a space).
Next, look for references to Kak the StartUp group in the Start menu (Rt-Click Start button, Explorer, navigate into Programs). This process may need to be repeated for each user, if user profiles are in use, including the default profile that is used when Esc is pressed to bypass the Windows logon prompt.
Next, look for references to Kak elsewhere in the system startup axis. In the Windows base directory, check Win.ini for Load= and Run= lines, System.ini for a Shell= line that has anything other than Explorer.exe (spelled with a small "L", not a capital "I") there, and finally look for the existence of a WinStart.bat file. None of these infiltration methods are typical for Kak, but these things may change with time.
Next, you need to check the registry as part of the system startup axis is held there. Use RegEdit, and edit with caution; use Registry, Export to make backups of the particular keys you will be editing so that you can "undo", but take care not to export the whole registry or sub branch! Look in the Runxxx keys (Run, RunServices, RunEx, etc.) under both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER (and repeat the latter search for each user profile in HKEY_USERS). If you see an entry that loads an arbitrary-named .hta or similar file, that's what you are looking for; export that key, delete the entry, then find and rename the file to an extension that is not associated as HTML (say, from .HTA to .HT!).
Typically, the file you are looking for will be called {name}.hta and will reside in the System directory under Windows base directory. The {name} will be an eight character string of characters 0-9 and A-F. There could be more than one of these files - one per user profile or identity - and they may be hidden. You should already have Windows Explorer set to show all files, not hide extensions etc. in any case.
As you can see, hunting down and rooting out Kak is a mission you don't want to repeat on a regular basis. Italics and bold in email is nice, but perhaps not worth the price.
It is almost a waste of time to kill Kak if you don't follow up with measures to prevent that attack method of succeeding again. Conceptually, this is done in two ways; by preventing the email program from running active content within HTML messages, and by plugging the particular loophole exploited by Kak.
First, the loophole, which is an ActiveX control called 'EyeDog' that was marked "safe for scripting" when it definitely is not (it allows file writes). Microsoft has a patch for this at (as when this was written) http://www.microsoft.com/technet/security/bulletin/ms99-032.asp - it should be an executable file named Qxxxxxx where the x's are a number. Running that patch will close the 'EyeDog' loophole, but will not protect against other unsafe controls that are marked "safe", and can be undone by malware activity in any case.
So you need to do more than wall out EyeDog. You need to stop all execution of active content within HTML message bodies, in all email programs that support this.
Netscape Mail of later 4.x versions has a setting for JavaScript in mail and news under Edit, Preference, Advanced; make sure that is disabled. Later Pegasus Mail versions have an option to use a web browser to view HTML mail messages; make sure the native Pegasus viewer is used instead. Eudora 4.xx can also use web browsers to view HTML messages; again, disable this. Older versions of Pegasus and Eudora are safe; older versions of Netscape Mail can never be safe as long as scripting and active content is enabled for the web browsers. Outlook 97 is HTML-unaware, thus OK for this risk.
That leaves the most vulnerable email applications; Outlook and Outlook Express. Under Tools, Options, look for the Security tab and place mail in the Restricted Zone, rather the Internet Zone (not applicable in Outlook 97). But that is not enough; you also need to run Internet Explorer, and go Tools, Options, Security tab to customize the Restricted Zone to disable all risks! By default, Java, Active Scripting and Controls marked as "safe" will be enabled, allowing attack without prompt or warning even in this, the "highest" of Microsoft's security templates (Windows ME has a slight clue; Active Scripting is now disabled by default).
Cleaning up your act
You should seriously consider not sending or forwarding mail in HTML format, as this facilitates not only attacks through embedded scripts, but also misrepresented links. HTML allows cosmetic text to cover the link itself, so that the link can take you somewhere other than expected - even to a local system dead-end that can lock up the system. These "link" risks are within HTML itself, and are not walled out by the suppression of active content as already described.
Even if you are immune to active content attacks, either by using an email program not targeted by Kak or by suppressing active content, you can still attack other users by forwarding or quoting infected messages. Using "Plain Text" rather than HTML (or Outlook's "Rich Text" that may have risks of its own) as your send and reply format will prevent this from happening, and arguably offers more value to your readers than bold, italics, fancy fonts or embedded graphics.
Advising your victims
If your system has attacked others ("through no fault of your own" notwithstanding) you owe it to them to inform them of this. You can either paste or quote from these instructions, or write something yourself, but do make the point that this time it is the HTML message itself that is the threat, not any files that might be attached.
Mutations
Wherever a script malware (such as Kak) goes, so does the source code that created it. That means any recipient may edit it to change the way it operates, or add a destructive payload. This is what is referred to as "mutation", and why I have broadened these instructions to check some areas no affected by the original Kak worm, and why I haven't bothered to mention virus scanners at all. By all means, keep your virus scanner up to date as a second line of defense, but don't rely on it to detect new or modified malware if you can wall out the attack method as well.
Filtering
If blessed with an email application that doesn't suck, you can use it to filter out script malware such as Kak. Create a filter that looks for "<script" (without the quotes) in the body of the message, and a unique-ish biopsy of text from the script malware (e.g. "says not today" for Kak). If found, route the message to a "Risk" mailbox.
After setting up these malware-specific filters, you can then set up a more generic filter for "<script" within the message body only, to detect nearly all messages that contain any scripts whatsoever. Some of those will be inline pastes from web pages, but some may be as-yet-unrecognized script malware.
(C) Chris Quirke, all rights reserved - 2000, updated February 2001and June 2002