Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:IM-Worm.Win32.Kelvir.a, W32/Kelvir.worm.a, W32.Kelvir.A
Size:46,082 bytes 
VDF Version: 

General DescriptionAffected platform:
* Windows 95
* Windows 98
* Windows ME
* Windows NT
* Windows 2000
* Windows XP
* Windows Server 2003

DistributionThe Worm/MSN.Kelvir.A spreads over the MSN Messenger, by sending to all the persons from the contact list the following message:

omg this is funny!


Technical DetailsWorm/MSN.Kelvir.A sends itself over MSN Messenger from Microsoft. the worm sends the following messages:

omg this is funny!


If the MSN user clicks on the above link, a file from the server "" is downloaded and stored in "c:\patch.exe". Another file from the server is downloaded,which is detected by AVIRA as "Worm/Wootbot". This file is stored in the Windows System directory as "hotkeysvc.exe" and executed. The following entries are written in the Windows Registry:

-HKEY_CURRENT_USER\Software\Microsoft\W indows\CurrentVersion\Run
"CPQHotkeys" = "hotkeysvc.exe"

-HKEY_CURRENT_USER\System\CurrentContro lSet\Control\Lsa
"CPQHotkeys" = "hotkeysvc.exe"

-HKEY_CURRENT_USER\Software\Microsoft\O le
"CPQHotkeys" = "hotkeysvc.exe"

-HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Run
"CPQHotkeys" = "hotkeysvc.exe"

-HKEY_LOCAL_MACHINE\System\CurrentContr olSet\Control\Lsa
"CPQHotkeys" = "hotkeysvc.exe"

-HKEY_LOCAL_MACHINE\Software\Microsoft\ Ole
"CPQHotkeys" = "hotkeysvc.exe"

-HKEY_USERS\.default\Software\Microsoft \Windows\CurrentVersion\Run
"CPQHotkeys" = "hotkeysvc.exe"

-HKEY_USERS\.default\System\CurrentCont rolSet\Control\Lsa
"CPQHotkeys" = "hotkeysvc.exe"

-HKEY_USERS\.default\Software\Microsoft \Ole
"CPQHotkeys" = "hotkeysvc.exe"

The following Registry entry gets changed by the Worm/Wootbot:

HKEY_LOCAL_MACHINE\Software\Microsoft\ Ole
"EnableDCOM" = "N"

in order to deactivate the DCOM interface.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .