Aliases: Email-Worm.Win32.Kitro.a, I-Worm.Kitro.a, W32/[email protected], Win32.HLLM.Kitro.10, W32/Kitro-A
Variants: W32.Kitro.B.Worm, W32.Kitro.C.Worm, W32.Kitro.D.Worm

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 15 Feb 2002
Damage: Medium

Characteristics: W32.Kitro.A.Worm belongs to a family of Internet worms called Kitro. These worms are made in Delphi. These worms spread through email messages and through Kazaa P2P network. These worms obtain email addresses from the .NET Messenger contact list. It sends infected messages to the addresses it finds.

More details about W32.Kitro.A.Worm

W32.Kitro.A.Worm propagates through email and sends messages with different subjects, bodies, and attached files. These messages are sent using direct SMTP access to the mail.hotmail.com server. There are different versions of this worm. This version spreads only by sending itself through email attachments. It is an EXE file with a size of 220160 bytes. The worm copies itself to the locations: c:\system32.exe and c:\archiv~1\psycho.scr. It also sets its copy located in the root directory of disk C: to start up automatically when Windows starts. The worm gets information from the .NET Messenger contact list by reading “Permission” values. It writes all collected addresses into the file named kiltro.dat in the current directory. The messages that the worm sends contain an attached file named Psycho.scr.

The W32.Kitro.A.Worm program might be obtained from other computer on the network. It may spread through the shared folders in the network. The W32.Kitro.A.Worm application may also be from e-mails which are unknown by the user because the program is concealing itself. The program may also be obtained through downloading via peer-to-peer (P2P) networking. When the user downloads and installs the falsely named files it will have the W32.Kitro.A.Worm program in the computer’s system.