Classification

Category :

Malware

Type :

-

Aliases :

Kiray, I-Worm.Kiray, W95/Kiray

Summary

Kiray is a simple mass-mailer written in Visual Basic. The worm body is compressed with Petite file compressor.

Removal

To disinfect the worm please use F-Secure Anti-Virus with the latest updates. Then before system restart please run the following REG file that will fix Registry patched by the worm:

ftp://ftp.europe.f-secure.com/anti-virus/tools/kiraydis.reg

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The worm spreads itself as KIRAY.EXE file with the following message:

	Subject:	Make peace not war 	Body:		The Lamers and Idiots Game 	Attachment:	Kiray.exe 	 	

The worm's EXE file has a Shockwave Flash animation file icon that could tempt a user to run it. When the worm is run it opens Outlook Address Book and sends itself to all email addresses found there.

The worm fails to send itself as an attachment if it was run from a different folder than C:\Windows\Temp\ or the worm's file name is different from KIRAY.EXE.

The worm then modifies the Registry. It writes its execution string to the following key:

 [HKCR\exefile\shell\open\command]

As a result a worm's copy from \Windows\Temp\ folder will be activated every time an EXE file is started. Also the worm modifies system policies for network and Explorer in the Registry that make a system hardly usable after a restart.

The worm has a payload - in case it fails to send itself it deletes all files from \Windows\, \Windows\System\, \Program Files\Microsoft Office\ and \Program Files\Internet Explorer\ folders.