Kiray is a simple mass-mailer written in Visual Basic. The worm body is compressed with Petite file compressor.
To disinfect the worm please use F-Secure Anti-Virus with the latest updates. Then before system restart please run the following REG file that will fix Registry patched by the worm:
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
The worm spreads itself as KIRAY.EXE file with the following message:
Subject: Make peace not war Body: The Lamers and Idiots Game Attachment: Kiray.exe
The worm's EXE file has a Shockwave Flash animation file icon that could tempt a user to run it. When the worm is run it opens Outlook Address Book and sends itself to all email addresses found there.
The worm fails to send itself as an attachment if it was run from a different folder than C:\Windows\Temp\ or the worm's file name is different from KIRAY.EXE.
The worm then modifies the Registry. It writes its execution string to the following key:
As a result a worm's copy from \Windows\Temp\ folder will be activated every time an EXE file is started. Also the worm modifies system policies for network and Explorer in the Registry that make a system hardly usable after a restart.
The worm has a payload - in case it fails to send itself it deletes all files from \Windows\, \Windows\System\, \Program Files\Microsoft Office\ and \Program Files\Internet Explorer\ folders.