Virus:Worm/Kelvir.ER
Date discovered:06/12/2005
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:147.456 Bytes
MD5 checksum:7abf8e8858675d81b139caa658a42bae
VDF version:6.32.01.11

 General Method of propagation:
   • Messenger


Aliases:
   •  Kaspersky: IM-Worm.Win32.Kelvir.bm
   •  TrendMicro: WORM_KELVIR.DH
   •  VirusBuster: trojan Trojan.DR.Agent.SI


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file

 Files It deletes the initially executed copy of itself.



The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %malware execution directory%\rem.bat

– c:\win.com Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Worm/IRCBot.68708

 Messenger It is spreading via Messenger. The characteristics are described below:

– Windows Live Messenger
– Windows Messenger


To:
All online contacts in the contact list.


Message
The sent message looks like the following:

   • hey http://**********/upfile/hiltons_secret.zip paris hilton :D:D:D~{ESC}

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 Miscellaneous String:
Furthermore it contains the following string:
   • Yo KAV you SUCK! this isn't KELVIR! this is just a BETTER variant of it ;) Greetz sirh0t

 File details Programming language:
 The malware program was written in Visual Basic.

Description inserted by Daniel Constantin on Tuesday, December 13, 2005
Description updated by Daniel Constantin on Tuesday, December 27, 2005

Back . . . .