Main Menu
Home
Bookmark
Contact Us

Categories
  Adware
  Adware Bundler
  AOL Exploit
  Backdoor
  Browser Hijacker
  Browser Plug-in
  Commercial Key Logger
  Commercial Remote Control
  Cookie
  Dialer
  E-Mail Flooder
  Hostile ActiveX Control
  ICQ Exploit
  Joke Program
  Key Logger
  Loader
  Low Risk Adware
  Misc
  Nuker
  P2P
  Password Hijacker
  Potential Privacy Risk
  Potentially Dangerous Tools
  RAT
  Search Hijacker
  Security Disabler
  Spyware
  Stealth Notifier
  Surveillance
  Toolbar
  Trojan
  Trojan Downloader
  Trojan FTP
  Trojan Telnet
  Viruses
  Worm
 


 
I-Worm.Kitro. Viruses Information

Name: I-Worm.Kitro.
Category: Viruses
Description: Details
I-Worm.Kitro.d

Kitro is a family of Internet worms. They spread using infected e-mail messages and Kazaa peer-to-peer network. All versions of the worm obtain e-mail addresses from the .NET Messenger contact list, and send infected messages to these addresses.
Messages sent by these worms may have different subjects, bodies, and attached files. They are sent using direct SMTP access to the "mail.hotmail.com" server.
This version of the worm is similar to I-Worm.Kitro.b. It is a Control Panel applet, its size is 169984 bytes.
Installation
The worm copies itself to the Windows directory with following names:
PostalDeAmistad.pif
Cristo_Nos_EnseÓa.Doc.pif
Listado.txt.by.Microsoft.com
List.txt.by.Microsoft.com
PostalDeAmistad.pif
Facturas556.XLS.pif
EnLosAndes.pif
YaNoPuedoSerYoMismo.DOC.pif
ReparacionDeMessenger.DOC.pif
TestDeAmoryAmistad.DOC.pif
Once this is done the worm executes one of its copies in the Windows directory. It also randomly selects several of its copies and sets them up to be executed when Windows starts by writing the following autorun keys:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"BNexe" = (one of the file names above)
"Zonavirus" = (path to the worm's copy)
Depending upon internal conditions, the Zonavirus value may be overwritten with the current time value.
The worm also copies itself to the following locations:
c:zonavirus.Dll
C:Bn.exe
Replication via the Kazaa network
The worm copies itself in the Kazaa shared directory or in the C: root directory, if the former doesn't exist.
Kitro also overwrites all files in the Kazaa shared directory with its copies and sets one of the overwritten files up to load when Windows starts by writing the following registry value:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"KAZAAkCuF9" = (Overwritten file's name)
Replication via e-mail messages
The e-mail replication routine of this worm variant is similar to its previous versions. The worm sends its copies in e-mail attachments to the recipients of the .NET Messenger contact list. The messages that contain the worm may have various subjects and bodies.



Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits

Random Viruses Pages:
Experimenta
Slava.49
PowerOff.79
Macro.Word.Parasite (Concept.g,
DeathDragon.49
Macro.Word97.Baw
Maresme.106
Macro.Word.Nuclear.
Trojan.BAT.KillAll.
Macro.Word.Unha


 

© 2006-2008 spyware32.com - Privacy Policy