Classification

Category: Malware

Type: -

Aliases: Kiray, I-Worm.Kiray, W95/Kiray

Summary


Kiray is a simple mass-mailer written in Visual Basic. The worm body is compressed with Petite file compressor.

Removal


To disinfect the worm please use F-Secure Anti-Virus with the latest updates. Then before system restart please run the following REG file that will fix Registry patched by the worm:

ftp://ftp.europe.f-secure.com/anti-virus/tools/kiraydis.reg

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


The worm spreads itself as KIRAY.EXE file with the following message:

	Subject:	Make peace not war 	Body:		The Lamers and Idiots Game 	Attachment:	Kiray.exe 	 	

The worm's EXE file has a Shockwave Flash animation file icon that could tempt a user to run it. When the worm is run it opens Outlook Address Book and sends itself to all email addresses found there.

The worm fails to send itself as an attachment if it was run from a different folder than C:\Windows\Temp\ or the worm's file name is different from KIRAY.EXE.

The worm then modifies the Registry. It writes its execution string to the following key:

 [HKCR\exefile\shell\open\command]

As a result a worm's copy from \Windows\Temp\ folder will be activated every time an EXE file is started. Also the worm modifies system policies for network and Explorer in the Registry that make a system hardly usable after a restart.

The worm has a payload - in case it fails to send itself it deletes all files from \Windows\, \Windows\System\, \Program Files\Microsoft Office\ and \Program Files\Internet Explorer\ folders.