I-Worm.Kiray
Description I-Worm.Kiray
This is a worm virus that spreads via the Internet using Microsoft Outlook. The worm appears as an email message with the attached file Kiray.EXE.
When the EXE-file is run the worm modify some of the keys in the system registry:
HKCRexefileshellopencommand""="c:windows empKiray.exe"
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDesktop=1
NoDrives=1
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesNetworkNoNetSetup=1
This allows the worm to run its routine when running any EXE-file and after restarting the system, all icons from "Desktop" and disks icons from "My computer" are hidden.
Then the worm uses MAPI to spread itself via e-mail, by creating messages to all recipients in the Outlook address book:
Subject: Please make peace not war
Body message: The Lamers and Idiots Game
Attach: Kiray.exe
The worm also tries to check Windows Address Book (WAB) which is registered in the system registry:
HKEY_CURRENT_USERSoftwareMicrosoftWAB
Finally the worm tries to remove all files in the following directories:
c:windows*.* c:windowssystem*.* c:Program FilesMicrosoft Office*.* c:Program FilesInternet Explorer*.*
The worm is only fully functional if the attachment is saved by the user to C:WINDOWSTEMP directory. Otherwise the worm cannot spread correctly from the infected machine, as the worm's message is sent without the attached exe. file.
Check other viruses! Be aware! Use Antiviral Software
Sarov.1400
Description Sarov.1400
This is a harmless memory resident parasitic polymorphic virus. It hooks INT 1, 8, 9, 21h and writes itself to the end of COM files that are accessed with DOS calls FindFirst/Next. By hooking INT 1 (tracer) the virus disables the tracing their code. By hooking INT 8 (timer) the virus change the floppy disk status, and calls the keyboard effect: by hooking INT 9 the virus 'skips' some keys that are pressed. The virus contain the text stings:
BIL_92_Sarov
Satana family
Description Satana family
These are dangerous memory resident parasitic viruses. They hook INT 21h and write themselves to the end of COM and EXE files that are executed or opened. On 11th of November the viruses overwrite the files with a message in Russian. The viruses also contain the text string:
SATANA 666 (C) EA inc.
|