Home / malware Win32.Kitro.A@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Kitro.A@mm is also known as I-Worm.Kitro, (KAV.
Explanation :
This is an Internet worm spreading through e-mails to all the contacts in the .NET Messenger Service. The file is an executable compressed with UPX, programmed in Delphi, with the uncompressed size of about 500K.
The file comes as an attached file named psycho.scr in an e-mail with the following format:
From: Droga Virtual
Subject: La Droga Virtual
Body:
Hey, Droga Virtual... Pues con este Protector de pantalla podras alucinar
como si estubieses bajo el LSD ademas del Peyote.
Ya no hace falta gastar dinero para ver colores e imagenes de otra
dimension.
Vamos unete a los psicoticos de la red, pero Atencion, no dejes la
mariguana!!!.
Attachment: psycho.scr
If the user executes the attachment it will register itself as a service (using a specific API function for Windows 95/98/ME), then it will copy itself as c:system32.exe, C:Archivos de programapsycho.scr (this second file will work only in Spanish version of Windows).
It registers the key:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunmsn
with the value "c:system32.exe"
to be restarted every time the victim logs on.
It creates the file kiltro.dat all the names in the .NET Messenger Service. An e-mail will be sent to all those addresses when the user will connect to Internet through Dial-Up.
If the e-mails are sent, and the month is between April and December, the virus will show some message-boxes with the title KILTRO * MSNWorm and the texts:
- Programado en Santiago de Chile por 4D2
- ¡¡¡VIVA SUDAMERICA!!!, ¡¡¡VIVA SIN YANKIS INVASORES!!!
- GUERRA AL SIONISMO
- CRACKING, MARIGUANA & PsichoBilly
- N SALUO PARA MI TIA MONICA (QEPD) Y MIS AMIGOS DE SIEMPRE : EL JAQUE (QEPD), EL VENA, EL SOTO (QUE HACE EN ESPAÑA EL CAURO!!!), y pa mi compaire ALSINO',0
- SALUOS PAL ZayDun & Tuvoalvaci0 y pa mi amiga ANITA de TALCALast update 21 November 2011
