Threat Description

Kelvir

Details

Category: Malware
Type: Worm
Platform: W32
Aliases: Kelvir, IM-Worm.Kelvir.A

Summary


Kelvir is an IM (Instant Messenger) worm that spreads by sending a link to its file using MSN Messenger. The worm also tries to download and run a file from Internet.



Removal


To get rid of this worm it is enough to delete its file from a hard disk. The latest versions of F-Secure Anti-Virus can automatically disable (rename) the worm's infected file. If automatic disinfection fails, please select 'Delete' disinfection action for the worm's file when it is detected. Instructions are here:

https://support.f-secure.com/enu/home/virusproblem/howtoclean/howtodeleteinfec...

Please restart a computer after disinfection.



Technical Details



Variant:IM-Worm.Kelvir.B


Variant:W32/Kelvir.B

Size:49011

The worm's file is a PE executable about 49 kilobytes long. The file is packed with a file compressor. The worm is written in Visual Basic.

The worm's file usually arrives on a computer with the MSN instant message message that looks like that:

lol! see it! u'll like it

The message contains a link that points to the worm's file named 'omg.pif' located on the 'home.earthlink.net' webserver. When this file is downloaded and run by a user, it infects a computer and continues its spreading cycle by sending instant messages to all found MSN Messenger contacts.

Additionally the worm tries to download the following file:

http://home.earthlink.net/~gallery10/me.jpg

This file is saved to the root of C:\ drive as 'dumprep.exe' and is then executed. The downloaded file is a variant of RBot backdoor and it is detected as 'Backdoor.Win32.Rbot.kp'. At the moment of the creation of this description the 'me.jpg' file was not accessible any longer.



Detection


Detection for Backdoor.Win32.Rbot.kp was published on March 7th, 2005 in the following F-Secure Anti-Virus updates:

Detection Type: PC
Database: 2005-03-07_04

Detection for Kelvir.B as published on March 7th, 2005 in the following F-Secure Anti-Virus updates:

Detection Type: PC
Database: 2005-03-07_02



Technical Details:Alexey Podrezov, March 7th, 2005


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More