The self-extracting file is a PE executable, about 76K long. When run, it will create the Worm's folder:
C:\Program Files\RWNT3\
and place two files in there:
Fart.exe -- 19337 bytes long
rwnt3.exe -- 6778 bytes long
It will also drop copy of the Sdbot into %SYSTEM% directory. Then the worm will alter registry entries to ensure that the Sdbot is activated upon reboot. There is no entry that activates Kelvir.h after the system is restarted.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
"Microsoft MSN Services" = "MSts32.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Microsoft MSN Services" = "MSts32.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
"Microsoft MSN Services" = "MSts32.exe"
FSAV detects the dropper as component: Backdoor.Win32.SdBot.gen