Kiray is a simple mass-mailer written in Visual Basic. The worm body is compressed with Petite file compressor.
To disinfect the worm please use F-Secure Anti-Virus with the latest updates. Then before system restart please run the following REG file that will fix Registry patched by the worm:
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
The worm spreads itself as KIRAY.EXE file with the following message:
Subject: Make peace not war Body: The Lamers and Idiots Game Attachment: Kiray.exe
The worm's EXE file has a Shockwave Flash animation file icon that could tempt a user to run it. When the worm is run it opens Outlook Address Book and sends itself to all email addresses found there.
The worm fails to send itself as an attachment if it was run from a different folder than C:\Windows\Temp\ or the worm's file name is different from KIRAY.EXE.
The worm then modifies the Registry. It writes its execution string to the following key:
As a result a worm's copy from \Windows\Temp\ folder will be activated every time an EXE file is started. Also the worm modifies system policies for network and Explorer in the Registry that make a system hardly usable after a restart.
The worm has a payload - in case it fails to send itself it deletes all files from \Windows\, \Windows\System\, \Program Files\Microsoft Office\ and \Program Files\Internet Explorer\ folders.