Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:Symantec: W32.Kelvir.FK Mcafee: W32/Sdbot.worm.gen.h Sophos: Troj/Bropia-N Trend: WORM_KELVIR.BW
Type:Worm 
Size:110.053 Bytes 
Origin: 
Date:07-18-2005 
Damage: 
VDF Version:6.31.0.224 
Danger:Low 
Distribution:Medium 

General DescriptionAffected Platforms
* Windows 95
* Windows 98
* Windows ME
* Windows NT
* Windows 2000
* Windows XP
* Windows Server 2003

Symptoms- spreads via MSN Messenger

DistributionThe Worm/MSN.Kelvir.AL spreads via MSN-Messenger, by sending itself to all persons in the contact list, with the following message:
%URL%
Is this your picture?

Technical DetailsIf Worm/MSN.Kelvir.AL is executed, it copies itself as:
%Sysdir%\msmnwin.exe

The following value is also added in the Windows Registry:

-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"MSN Registry loader" = "msmnwin.exe"

Worm/MSN.Kelvir.AL is a dropper variant and drops the following file:
C:\mswindrvr.exe

This file then copies itself into:
%Sysdir%\msnmesgr.exe
Here it behaves like a variant of the worm detected by AVIRA as'Worm/Spybot'.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .