W32.Kelvir.C is a worm that spreads through MSN Messenger
and drops a variant of W32.Spybot.Worm.
1. Sends the following message to all the MSN Messenger
contacts on the compromised computer:
hot pic!!~[Link to a Web site on the mxt-networkz.com
domain]/parishilton.pif~
Notes:
- A recipient must click on the link, download the file,
and then execute parishilton.pif.
- The www.mxt-networkz.com domain was unavailable at
the time of writing.
2. Drops the following files in the folder in which the
worm was originally executed:
- Link.exe
- mafia.exe - a variant of W32.Spybot.Worm
3. Once executed, the W32.Spybot.Worm variant copies itself
as %System%\lsassx.exe. It sets the file attributes to hidden,
read only, and system.
4. The W32.Spybot.Worm variant adds the value:
"Windows Taskmanager" = "lsassx.exe"
to the following registry subkeys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\OLE
so that it will execute when Windows starts.
5. Connects to an IRC server on TCP port 8080 on one or
both of the following domains:
- bla.m0ker.com
- bla.w00pie.nl
Because of all the changes Kelvir.C makes in systems it infects,
cleaning such systems is not trivial. Follow the clean-up
procedures described here.
