My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Kitro.A@mm

MEDIUM
VERY LOW
220160 bytes
(I-Worm.Kitro (KAV))

Symptoms

  • File c:\system32.exe, C:\Archivos de programa\psycho.scr

  • File kiltro.dat

  • File c:\windat.vxd, c:\windat.dll
  • Removal instructions:

    1. If you don't have BitDefender installed click here to download an evaluation version;

    2. Make sure that you have the latest updates using BitDefender Live!;

    3. Make the following changes in the windows registry:

      Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

      1. Select Run... from Start, then type regedit and press Enter;

      2. Delete the following key:
        HKCU\Software\Microsoft\Windows\CurrentVersion\Run\msn

    4. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Kitro.A@mm.

    Analyzed By

    Costin Ionescu BitDefender Virus Researcher

    Technical Description:

    This is an Internet worm spreading through e-mails to all the contacts in the .NET Messenger Service. The file is an executable compressed with UPX, programmed in Delphi, with the uncompressed size of about 500K.

    The file comes as an attached file named psycho.scr in an e-mail with the following format:
    From: Droga Virtual
    Subject: La Droga Virtual

    Body:

    Hey, Droga Virtual... Pues con este Protector de pantalla podras alucinar
    como si estubieses bajo el LSD ademas del Peyote.

    Ya no hace falta gastar dinero para ver colores e imagenes de otra
    dimension.


    Vamos unete a los psicoticos de la red, pero Atencion, no dejes la
    mariguana!!!.


    Attachment: psycho.scr


    If the user executes the attachment it will register itself as a service (using a specific API function for Windows 95/98/ME), then it will copy itself as c:\system32.exe, C:\Archivos de programa\psycho.scr (this second file will work only in Spanish version of Windows).

    It registers the key:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\msn
    with the value "c:\system32.exe"
    to be restarted every time the victim logs on.

    It creates the file kiltro.dat all the names in the .NET Messenger Service. An e-mail will be sent to all those addresses when the user will connect to Internet through Dial-Up.

    If the e-mails are sent, and the month is between April and December, the virus will show some message-boxes with the title KILTRO * MSNWorm and the texts:
    - Programado en Santiago de Chile por 4D2
    - ¡¡¡VIVA SUDAMERICA!!!, ¡¡¡VIVA SIN YANKIS INVASORES!!!
    - GUERRA AL SIONISMO
    - CRACKING, MARIGUANA & PsichoBilly
    - N SALUO PARA MI TIA MONICA (QEPD) Y MIS AMIGOS DE SIEMPRE : EL JAQUE (QEPD), EL VENA, EL SOTO (QUE HACE EN ESPAÑA EL CAURO!!!), y pa mi compaire ALSINO',0
    - SALUOS PAL ZayDun & Tuvoalvaci0 y pa mi amiga ANITA de TALCA