Virus:Worm/Kelvir.EV
Date discovered:24/02/2006
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:41.256 Bytes
MD5 checksum:ada388b4cbba8ae3bba0423f184fb724
VDF version:6.33.01.27

 General Method of propagation:
   • Messenger


Aliases:
   •  Kaspersky: IM-Worm.Win32.Kelvir.ew
   •  TrendMicro: WORM_KELVIR.DO


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads files

 Files It tries to download some files:

– The location is the following:
   • http://b0tfilez.tripod.com/**********
It is saved on the local hard drive under: C:\setup.exe

– The location is the following:
   • http://adserv.pwp.blueyonder.co.uk/eng-us/**********
It is saved on the local hard drive under: %SYSDIR%\%random character string%.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

 Messenger It is spreading via Messenger. The characteristics are described below:

– Windows Messenger


To:
All online contacts in the contact list.


Message
The sent message looks like one of the following:

   • wow.. http://www.nbmd.cn/**********

   • is that you? http://www.nbmd.cn/**********

   • omg wahaha!!! http://www.nbmd.cn/**********

   • check this out: http://www.nbmd.cn/**********

   • is this working? http://www.nbmd.cn/**********

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 File details Programming language:
 The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Gherman on Monday, February 27, 2006
Description updated by Andrei Gherman on Monday, February 27, 2006

Back . . . .