F-Secure Virus Descriptions : Kelvir.f
[Summary] | [Disinfection] | [Detection]
Kelvir.f is a worm that uses MSN Messenger to send out a link.
The link points to a site that contains self-extracting file
which will install Kelvir.f and a new Sdbot variant.
The self-extracting file is a PE executable, about 76K long. When
run, it will create the Worm's folder:
C:\Program Files\RWNT3\
and place two files in there:
Fart.exe -- 19337 bytes long
rwnt3.exe -- 6778 bytes long
It will also drop copy of the Sdbot into %SYSTEM% directory.
Then the worm will alter registry entries to ensure that the Sdbot
is activated upon reboot. There is no entry that activates Kelvir.h
after the system is restarted.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"Microsoft MSN Services" = "MSts32.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Microsoft MSN Services" = "MSts32.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\"Microsoft MSN Services" = "MSts32.exe"
To get rid of this worm it is enough to delete its files from the
infected hard disk. The latest versions of F-Secure Anti-Virus can
automatically disable (rename) the worm's infected files. If
automatic disinfection fails, please select 'Delete' disinfection
action for the worm's files when it is detected. Instructions are
here:
http://support.f-secure.com/enu/home/virusproblem/howtoclean/howtodeleteinfec...
Please restart a computer after disinfection.
FSAV detects the dropper as component: Backdoor.Win32.SdBot.gen
Kelvir.f is detected with the following update:
[FSAV_Database_Version]
Version=2005-04-07_01
Technical Details:
Tzvetan Chaliavski, April 6th, 2005;
F-Secure Corporation
|
