F-Secure Virus Descriptions : Kiray
Kiray is a simple mass-mailer written in Visual Basic. The worm
body is compressed with Petite file compressor. The worm spreads
itself as KIRAY.EXE file with the following message:
Subject: Make peace not war
Body: The Lamers and Idiots Game
Attachment: Kiray.exe
The worm's EXE file has a Shockwave Flash animation file icon
that could tempt a user to run it. When the worm is run it opens
Outlook Address Book and sends itself to all e-mail addresses
found there.
The worm fails to send itself as an attachment if it was run from
a different folder than C:\Windows\Temp\ or the worm's file name
is different from KIRAY.EXE.
The worm then modifies the Registry. It writes its execution
string to the following key:
[HKCR\exefile\shell\open\command]
As a result a worm's copy from \Windows\Temp\ folder will be
activated every time an EXE file is started. Also the worm
modifies system policies for network and Explorer in the Registry
that make a system hardly usable after a restart.
The worm has a payload - in case it fails to send itself it
deletes all files from \Windows\, \Windows\System\, \Program
Files\Microsoft Office\ and \Program Files\Internet Explorer\
folders.
To disinfect the worm please use F-Secure Anti-Virus with the
latest updates. Then before system restart please run the
following REG file that will fix Registry patched by the worm:
ftp://ftp.europe.f-secure.com/anti-virus/tools/kiraydis.reg
[Analysis: Alexey Podrezov; F-Secure Corp.; October 22, 2001]
|
![](/images/pixel.gif"){kind=tracking}
