Searching
..

Click anywhere to stop

Email-Worm.Win32.Kiray

Class Email-Worm
Platform Win32
Description

Technical Details

This is a worm virus that spreads via the Internet using Microsoft Outlook. The worm appears as an email message with the attached file Kiray.EXE.

When the EXE-file is run the worm modify some of the keys in the system registry:


HKCRexefileshellopencommand
“”=”c:windowstempKiray.exe”

HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
NoDesktop=1
NoDrives=1

HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesNetwork
NoNetSetup=1

This allows the worm to run its routine when running any EXE-file and after restarting the system, all icons from “Desktop” and disks icons from “My computer”
are hidden.

Then the worm uses MAPI to spread itself via e-mail, by creating messages to all recipients in the Outlook address book:

Subject: Please make peace not war
Body message: The Lamers and Idiots Game
Attach: Kiray.exe

The worm also tries to check Windows Address Book (WAB) which is registered in the system registry:


HKEY_CURRENT_USERSoftwareMicrosoftWAB

Finally the worm tries to remove all files in the following directories:


c:windows*.*
c:windowssystem*.*
c:Program FilesMicrosoft Office*.*
c:Program FilesInternet Explorer*.*

The worm is only fully functional if the attachment is saved by the user to C:WINDOWSTEMP directory. Otherwise the worm cannot spread correctly from the infected machine, as the worm’s message is sent without the attached exe. file.

Find out the statistics of the threats spreading in your region