Precisa de ajuda? Peça à comunidade ou contrate um perito.
Acesse a Avira Answers
Size:157.447 bytes, 5.746 bytes 
Damage:Spreads itself via MSN Messenger. 
VDF Version:  

General DescriptionAffected platforms:
* Windows 95
* Windows 98
* Windows ME
* Windows NT
* Windows 2000
* Windows XP
* Windows Server 2003

DistributionWorm/MSN.Kelvir.G sends a message to all MSN Messenger contacts from the list of the infected user. The worm sends a link, from which a file gets downloaded on the computer.

The Worm/MSN.Kelvir.G also copies itself in the infected computer's network shares.

The dropped virus: Worm/Wootbot uses the following security holes of the Windows operating system:

- "DCOM RPC vulnerability" (described in Microsoft Security Bulletin MS03-026)

- "Microsoft Windows Local Security Authority Service Remote Buffer Overflow" (described in Microsoft Security Bulletin MS04-011)

Technical DetailsIf Worm/MSN.Kelvir.G is executed, it sends the following link via the MSN Messenger from Microsoft: http://www.********.nl/

If the user only clicks on the link mentioned above, a file named "" is downloaded. This file is a self extracting RAR archive and it creates the following files:


Another file which AVIRA detects as Worm/Wootbot, is created in the Windows system directory as "DOS.EXE".This file has the following attributes:'hidden', 'write protected' and 'system'.

The following entries are written in the Windows Registry:

"C%%Program Files%MSS" = "C:\Program Files\MSS"

HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Run
"WIN32 DDOSSER" = "dos.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\RunServices
"WIN32 DDOSSER" = "dos.exe"

HKEY_CURRENT_USER\Software\Microsoft\O LE
"WIN32 DDOSSER" = "dos.exe"

The following actions can be achieved with the help of Worm/Wootbot.

- Backdoor funtionalities
- Steal activation CD keys for different softwares
- Terminate processes and services
- Install a Keylogger
- Use the infected computer as Proxy
Descrição enviada por Crony Walker em terça-feira, 15 de junho de 2004

Voltar . . . .