Virus Database

Script.Inf

Description Script.Inf
Script.Ing is a script virus that infects Windows INF files. These INF files contain the information that is used during installation a new software, or upgrading already installed programs. They are activated on entering the "Install" item in the context menu of Windows Explorer. To replicate itself the virus uses special script language that is used in the INF files.
When a software with infected INF file is installing, Windows looks for INF file in the package, opens it and processes instructions including virus script commands. The virus code when activated creates the VXER.TXT file, copies the host file to there and appends several DOS commands to the end of the AUTOEXEC.BAT file. On rebooting these commands search for first *.INF file in the WindowsInf directory on the current drive and overwrite it with virus code that was stored in the VXER.TXT file.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Kiray

Description I-Worm.Kiray

This is a worm virus that spreads via the Internet using Microsoft Outlook. The worm appears as an email message with the attached file Kiray.EXE.
When the EXE-file is run the worm modify some of the keys in the system registry:
HKCRexefileshellopencommand""="c:windows empKiray.exe"
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDesktop=1
NoDrives=1
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesNetworkNoNetSetup=1
This allows the worm to run its routine when running any EXE-file and after restarting the system, all icons from "Desktop" and disks icons from "My computer" are hidden.
Then the worm uses MAPI to spread itself via e-mail, by creating messages to all recipients in the Outlook address book:
Subject: Please make peace not war
Body message: The Lamers and Idiots Game
Attach: Kiray.exe

The worm also tries to check Windows Address Book (WAB) which is registered in the system registry:
HKEY_CURRENT_USERSoftwareMicrosoftWAB
Finally the worm tries to remove all files in the following directories:
c:windows*.* c:windowssystem*.* c:Program FilesMicrosoft Office*.* c:Program FilesInternet Explorer*.*
The worm is only fully functional if the attachment is saved by the user to C:WINDOWSTEMP directory. Otherwise the worm cannot spread correctly from the infected machine, as the worm's message is sent without the attached exe. file.

I-Worm.Kitro.a

Description I-Worm.Kitro.a

Kitro is a family of Internet worms. They spread using infected e-mail messages and Kazaa peer-to-peer network. All versions of the worm obtain e-mail addresses from the .NET Messenger contact list, and send infected messages to these addresses.
Messages sent by these worms may have different subjects, bodies, and attached files. They are sent using direct SMTP access to the "mail.hotmail.com" server.
This version of the worm is able to spread only by sending itself in e-mail attachments. The worm is an EXE file, its size is 220160 bytes.
Installation
The worm copies itself to the following locations:
c:system32.exe
c:archiv~1psycho.scr
The worm also sets its copy located in the root directory of disk C: up to start automatically with Windows by writing the following registry key:
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
"msn"="c:system32.exe"
The worm gathers information about .NET Messenger contact recipients by reading "Permission" values from the following registry key:
[HKEY_CURRENT_USERSoftwareMicrosoftMessengerServiceListCache.NET Messenger Service]
Value names: Allow0, Allow1, etc.
It writes all addresses gathered into the file named kiltro.dat in the current directory. Messages that are sent by the worm contain an attached file named Psycho.scr. If the worm finds its copy already installed in the system it hides the system tray window and shows some messages.
Other
The worm creates the following text files:
c:windat.vxd
c:windat.dll
with the following contents:
Programado en Santiago de Chile por ErGrone

Home