Summary

Kiray is a simple mass-mailer written in Visual Basic. The worm body is compressed with Petite file compressor.

Additional Details

The worm spreads itself as KIRAY.EXE file with the following message:

Subject: Make peace not war Body: The Lamers and Idiots Game Attachment: Kiray.exe
The worm's EXE file has a Shockwave Flash animation file icon that could tempt a user to run it. When the worm is run it opens Outlook Address Book and sends itself to all e-mail addresses found there.

The worm fails to send itself as an attachment if it was run from a different folder than C:\Windows\Temp\ or the worm's file name is different from KIRAY.EXE.

The worm then modifies the Registry. It writes its execution string to the following key:

[HKCR\exefile\shell\open\command]
As a result a worm's copy from \Windows\Temp\ folder will be activated every time an EXE file is started. Also the worm modifies system policies for network and Explorer in the Registry that make a system hardly usable after a restart.

The worm has a payload - in case it fails to send itself it deletes all files from \Windows\, \Windows\System\, \Program Files\Microsoft Office\ and \Program Files\Internet Explorer\ folders.

To disinfect the worm please use F-Secure Anti-Virus with the latest updates. Then before system restart please run the following REG file that will fix Registry patched by the worm:

ftp://ftp.europe.f-secure.com/anti-virus/tools/kiraydis.reg

[Analysis: Alexey Podrezov; F-Secure Corp.; October 22, 2001]