Email-Worm.Win32.Kiray

Class Email-Worm
Platform Win32
Description

Technical Details

This is a worm virus that spreads via the Internet using Microsoft Outlook. The worm appears as an email message with the attached file Kiray.EXE.

When the EXE-file is run the worm modify some of the keys in the system registry:


HKCRexefileshellopencommand
“”=”c:windowstempKiray.exe”

HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
NoDesktop=1
NoDrives=1

HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesNetwork
NoNetSetup=1

This allows the worm to run its routine when running any EXE-file and after restarting the system, all icons from “Desktop” and disks icons from “My computer”
are hidden.

Then the worm uses MAPI to spread itself via e-mail, by creating messages to all recipients in the Outlook address book:

Subject: Please make peace not war
Body message: The Lamers and Idiots Game
Attach: Kiray.exe

The worm also tries to check Windows Address Book (WAB) which is registered in the system registry:


HKEY_CURRENT_USERSoftwareMicrosoftWAB

Finally the worm tries to remove all files in the following directories:


c:windows*.*
c:windowssystem*.*
c:Program FilesMicrosoft Office*.*
c:Program FilesInternet Explorer*.*

The worm is only fully functional if the attachment is saved by the user to C:WINDOWSTEMP directory. Otherwise the worm cannot spread correctly from the infected machine, as the worm’s message is sent without the attached exe. file.