To get rid of this worm it is enough to delete its file from a
hard disk. The latest versions of F-Secure Anti-Virus can
automatically disable (rename) the worm's infected file. If
automatic disinfection fails, please select 'Delete' disinfection
action for the worm's file when it is detected. Instructions are
here:
http://support.f-secure.com/enu/home/virusproblem/howtoclean/howtodeleteinfec...
Please restart a computer after disinfection.
The worm's file is a PE executable about 49 kilobytes long. The
file is packed with a file compressor. The worm is written in
Visual Basic.
The worm's file usually arrives on a computer with the MSN
instant message message that looks like that:
lol! see it! u'll like it
The message contains a link that points to the worm's file named
'omg.pif' located on the 'home.earthlink.net' webserver. When
this file is downloaded and run by a user, it infects a computer
and continues its spreading cycle by sending instant messages to
all found MSN Messenger contacts.
Additionally the worm tries to download the following file:
http://home.earthlink.net/~gallery10/me.jpg
This file is saved to the root of C:\ drive as 'dumprep.exe' and
is then executed. The downloaded file is a variant of RBot
backdoor and it is detected as 'Backdoor.Win32.Rbot.kp'. At the
moment of the creation of this description the 'me.jpg' file was
not accessible any longer.
Detection for Kelvir.B as published on March 7th, 2005 in the
following F-Secure Anti-Virus updates:
[FSAV_Database_Version]
Version=2005-03-07_02
Detection for Backdoor.Win32.Rbot.kp was published on March 7th,
2005 in the following F-Secure Anti-Virus updates:
[FSAV_Database_Version]
Version=2005-03-07_04
Technical Details:
Alexey Podrezov, March 7th, 2005;
F-Secure Corporation
![](/images/pixel.gif"){kind=tracking}
