Threat description


Category: Malware
Type: Worm
Platform: W32


Kelvir is an IM (Instant Messenger) worm that spreads by sending a link to its file using MSN Messenger. The worm also tries to download and run a file from Internet.


To get rid of this worm it is enough to delete its file from a hard disk. The latest versions of F-Secure Anti-Virus can automatically disable (rename) the worm's infected file. If automatic disinfection fails, please select 'Delete' disinfection action for the worm's file when it is detected. Instructions are here:

Please restart a computer after disinfection.

Technical Details




The worm's file is a PE executable about 49 kilobytes long. The file is packed with a file compressor. The worm is written in Visual Basic.

The worm's file usually arrives on a computer with the MSN instant message message that looks like that:

lol! see it! u'll like it

The message contains a link that points to the worm's file named 'omg.pif' located on the '' webserver. When this file is downloaded and run by a user, it infects a computer and continues its spreading cycle by sending instant messages to all found MSN Messenger contacts.

Additionally the worm tries to download the following file:

This file is saved to the root of C:\ drive as 'dumprep.exe' and is then executed. The downloaded file is a variant of RBot backdoor and it is detected as ''. At the moment of the creation of this description the 'me.jpg' file was not accessible any longer.


Detection for was published on March 7th, 2005 in the following F-Secure Anti-Virus updates: Detection Type:PC

Detection for Kelvir.B as published on March 7th, 2005 in the following F-Secure Anti-Virus updates: Detection Type:PC

Technical Details: Alexey Podrezov, March 7th, 2005


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More