Kelvir is an IM (Instant Messenger) worm that spreads by sending a link to its file using MSN Messenger. The worm also tries to download and run a file from Internet.
To get rid of this worm it is enough to delete its file from a hard disk. The latest versions of F-Secure Anti-Virus can automatically disable (rename) the worm's infected file. If automatic disinfection fails, please select 'Delete' disinfection action for the worm's file when it is detected. Instructions are here:
Please restart a computer after disinfection.
The worm's file is a PE executable about 49 kilobytes long. The file is packed with a file compressor. The worm is written in Visual Basic.
The worm's file usually arrives on a computer with the MSN instant message message that looks like that:
lol! see it! u'll like it
The message contains a link that points to the worm's file named 'omg.pif' located on the 'home.earthlink.net' webserver. When this file is downloaded and run by a user, it infects a computer and continues its spreading cycle by sending instant messages to all found MSN Messenger contacts.
Additionally the worm tries to download the following file:
This file is saved to the root of C:\ drive as 'dumprep.exe' and is then executed. The downloaded file is a variant of RBot backdoor and it is detected as 'Backdoor.Win32.Rbot.kp'. At the moment of the creation of this description the 'me.jpg' file was not accessible any longer.
Detection for Backdoor.Win32.Rbot.kp was published on March 7th, 2005 in the following
F-Secure Anti-Virus updates:
Detection for Kelvir.B as published on March 7th, 2005 in the following F-Secure Anti-Virus
Technical Details: Alexey Podrezov, March 7th, 2005