Updated: August 24, 2005 12:00:00 AM
Type: Removal Information

To use the tool, we recommend you download the Fixkakb.exe file to your Windows desktop or to a folder on your hard disk. After the file finishes downloading, follow these steps:
Close all programs.
Double-click the file Fixkak.exe to run it. A Repair Tool dialog box will appear.
Click Remove. One of the following three messages will appear after you click Remove:
"Your computer is not infected." (Your system is safe, and you do not need to do anything.)
"Your computer has been successfully restored." (The worm has been removed, and your system is now free of the damaged done by the worm.)
"An error occurred during execution of this program." (The removal tool has encountered a problem that it cannot fix. You must manually remove the virus. Refer to this page for manual removal instructions.)

What the tool does

The tool searches for the Day.hta file dropped into the StartUp folder. If the file is present, the tool will delete it.
The tool will remove the Default.htm, if it exists, from the Windows Command folder.
The tool will restore the original Autoexec.bat from the Days.day file that is created by the worm. The tool will delete Days.day after the restoration.
The tool will check cDays value in the Run registry key. If the value present, then the tool will extract the string from this value (the string contains the name of the file dropped into the system folder) and delete the value. Then the tool will delete the file, whose name was extracted from the cDays value.


The tool will enumerate through all the keys under HKEY_CURRENT_USER\Identities, searching for the Default Signature value in the Signatures key for Outlook Express 5.0. The tool will delete this value, if it was found.

HKEY_CURRENT_USER\Identities\???\Software\Microsoft\Outlook Express\5.0\Signatures

NOTE: ??? represents all the possible subkeys of HKEY_CURRENT_USER\Identities

The tool will delete the 00000000 subkey created by virus, if the subkey is present.

HKEY_CURRENT_USER\Identities\???\Software\Microsoft\Outlook Express\5.0\Signatures\00000000

NOTE: The tool is unable to restore the default signature for Outlook Express if it existed before being infected. The worm does not save this information.

Download: Fixkakb.exe

Fixkakb.exe is digitally signed. Symantec recommends only using copies of Fixkakb.exe that have been downloaded directly from this site. The following tool is available to verify the digital signature of Fixkakb.exe:

File: chktrust.exe

To verify the digital signature of fixkakb.exe using chktrust.exe:
Go here http://www.wmsoftware.com/free.htm
Download and save chktrust.exe into the same folder that contains Fixkakb.exe.
Launch the MS-DOS prompt from the Start menu.
Change to the folder that contains Fixkakb.exe and Chktrust.exe. If the files were saved to the desktop folder, enter the following command at the MS-DOS prompt:

cd \windows\desktop

Type the following command to check the digital signature of Fixkakb.exe:

chktrust -i fixkakb.exe

If the digital signature is valid, you will see the following question:

Do you want to install and run "Fix Utility B" signed on 08/10/2000 1:06 PM and distributed by Symantec Corporation?

The date and time that appear in this dialog will be adjusted to your time zone if your computer is not set to the Pacific time zone. For example, if you live in the Eastern time zone, the date and time you will see will be 08/10/2000 4:06 PM.
If you are using Daylight Saving time, the time that is displayed will be exactly one hour earlier.
You may also see a DOS box with the entry:

"c: Result:0" (without the quotes) .

If you do, then the test was positive and the file is confirmed as being from Symantec.

If the previously mentioned messages do not appear, or the date and time are not properly adjusted for your time zone on the original message, then do not use your copy of Fixkakb.exe. It is not from Symantec.

Click Yes to dismiss the Chktrust dialog. Type exit and then press Enter. This will terminate the MS-DOS session.

NOTE: The worm utilizes a known Microsoft Outlook Express security hole. Microsoft has patched this security hole. The patch is available at: