Threat Detail

  • Malware Type: Virus
  • Malware Sub-type: Win32
  • Protection Added: 2006-05-11
W32/Kittykat is a proof of concept, highly morphic RAR archive virus that splits itself into numerous parts, and adds these parts to any RAR archive files found in the current directory where the virus was executed.

Minimum Engine


File Length

Description Added


Description Modified


Malware Proliferation

W32/Kittykat arrives as an archive file containing the batch file "start.bat" and a randomly named folder.

This randomly named folder contains the virus which is split into numerous files, each about  3-10 bytes.

The archive needs to be extracted with the full directory structure, and the file "start.bat" is executed for the virus to run.

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.


When W32/Kittykat is executed, it performs the following actions:

- Reconstructs itself from the numerous split parts using a set of batch files.

- Displays the following message to announce its presence.

- Searches and infects any RAR files in the current directory.


W32/Kittykat uses a set of batch files to reconstruct itself from the numerous split files.

If the archive containing the virus is extracted to a folder with a long filename, example: "C:\Documents and Settings" it fails to reconstruct itself due to a bug in handling long filenames.

It does not have its own RAR archiving engine and needs the archiving program WinRAR to be installed on the infected system to append itself to other RAR archives.