¿Necesita ayuda? Pregunte a la comunidad o contrate a un experto.
Ir a Avira Answers
Alias:W32.Kelvir.F
Type:Worm 
Size:157.447 bytes, 5.746 bytes 
Origin: 
Date:03-11-2005 
Damage:Spreads itself via MSN Messenger. 
VDF Version:6.30.00.27  
Danger:Medium 
Distribution:Medium 

General DescriptionAffected platforms:
* Windows 95
* Windows 98
* Windows ME
* Windows NT
* Windows 2000
* Windows XP
* Windows Server 2003

DistributionWorm/MSN.Kelvir.G sends a message to all MSN Messenger contacts from the list of the infected user. The worm sends a link, from which a file gets downloaded on the computer.

The Worm/MSN.Kelvir.G also copies itself in the infected computer's network shares.

The dropped virus: Worm/Wootbot uses the following security holes of the Windows operating system:

- "DCOM RPC vulnerability" (described in Microsoft Security Bulletin MS03-026)

- "Microsoft Windows Local Security Authority Service Remote Buffer Overflow" (described in Microsoft Security Bulletin MS04-011)

Technical DetailsIf Worm/MSN.Kelvir.G is executed, it sends the following link via the MSN Messenger from Microsoft: http://www.********.nl/girls.com.

If the user only clicks on the link mentioned above, a file named "girls.com" is downloaded. This file is a self extracting RAR archive and it creates the following files:

%ProgramDIR%\MMS\link.exe
%ProgramDIR%\MMS\pwn.exe

Another file which AVIRA detects as Worm/Wootbot, is created in the Windows system directory as "DOS.EXE".This file has the following attributes:'hidden', 'write protected' and 'system'.

The following entries are written in the Windows Registry:

HKEY_CURRENT_USER\Software\WinRAR SFX\
"C%%Program Files%MSS" = "C:\Program Files\MSS"

HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Run
"WIN32 DDOSSER" = "dos.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\RunServices
"WIN32 DDOSSER" = "dos.exe"

HKEY_CURRENT_USER\Software\Microsoft\O LE
"WIN32 DDOSSER" = "dos.exe"

The following actions can be achieved with the help of Worm/Wootbot.

- Backdoor funtionalities
- Steal activation CD keys for different softwares
- Terminate processes and services
- Install a Keylogger
- Use the infected computer as Proxy
Descripción insertada por Crony Walker el martes 15 de junio de 2004

Volver . . . .
https:// Esta ventana está cifrada para su seguridad.