Kelvir.A Worm

Message:
omg this is funny!
[Link to the jose.rivera4.home.att.net domain]

If an unsuspecting user clicks on the message, Kelvir.A downloads and executes a file from the comcast.net domain, copying it into the system folder as hotkeysvc.exe, thereby infecting the system running MSN. This worm sets certain attributes (hidden, read-only and system) on hotkeysvc.exe. Kelvir.A also attempts to download another file from the yoursite.com domain. Interestingly, the file from the latter domain is a mutation of the W32.Spybot worm. Kelvir.A then attempts to modify many Registry values by:

• Adding the value¹:
  
  "CPQHotkeys" = "hotkeysvc.exe," to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\System\CurrentControlSet\Control\Lsa
HKEY_CURRENT_USER\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_USERS\.default\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\.default\System\CurrentControlSet\Control\Lsa
HKEY_USERS\.default\Software\Microsoft\Ole

• Modifying the value²:
  
  "EnableDCOM" = "N"
  
  in:
  
  HKEY_LOCAL_MACHINE\Software\Microsoft\Ole 

Finally, Kelvir.A sends messages to other MSN contacts in an attempt to infect their systems.

How to Recover if Your System Becomes Infected

Because of all the changes Kelvir.A makes in systems it infects, cleaning such systems is not trivial. Follow the clean-up procedures described here.

1. This helps ensure that Kelvir.A will start every time the system boots.

2. This disables DCOM on the victim system.

<<Back to Virus Archive home