Virus:Worm/Kelvir.DV
Date discovered:14/10/2005
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:110.592 Bytes
MD5 checksum:b08429322069d71be7e32f26cf419f6e
VDF version:6.31.01.222

 General Method of propagation:
   • Messenger


Aliases:
   •  Symantec: W32.Spybot.Worm
   •  Mcafee: W32/Sdbot.worm.gen.i
   •  Kaspersky: Backdoor.Win32.Rbot.gen
   •  TrendMicro: WORM_RBOT.CLS
   •  Bitdefender: Backdoor.RBot.91D40E0C


Platforms / OS:
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file

 Files The following files are created:

%WINDIR%\winoi.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Worm/Rbot.81920.9

%malware execution directory%\msn.txt

 Messenger It is spreading via Messenger. The characteristics are described below:

– Windows Live Messenger
– Windows Messenger


To:
All online contacts in the contact list.


Message
The sent message looks like one of the following:

   • hey
     its you!
     %link%


%link%
While the wildcard is the following:
   • http://www.ymcg.**********/gallery/pictures.php?email=%receiver's email address%

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 File details Programming language:
 The malware program was written in Visual Basic.

Description inserted by Iulia Diaconescu on Friday, October 14, 2005
Description updated by Iulia Diaconescu on Thursday, October 20, 2005

Back . . . .