Computer Protection Program Berkeley Lab
Computer Protection Program at Berkeley Lab Security
Ernest Orlando Lawrence Berkeley National Laboratory
Emergencies | Site Index | Contact Us
CPP Home
Contacts
Scan Information
Policy Guidelines
System Procedures
Tools & Services
ALERTS 
Recent CPP Actions
News & Articles
CPP Intranet
  ALERTS  
Viruses  

Kelvir.E Worm

W32.Kelvir.E is a worm that drops a variant of W32.Spybot.Worm and spreads through MSN Messenger and by exploiting vulnerabilities.

Note: Virus definitions 70307y (extended version 3/7/2005 rev. 25) or greater are required to detect this threat.

When W32.Kelvir.E is executed, it performs the following actions:

1. Sends the following message to all the MSN Messenger contacts on the compromised computer:

Body: http: //[domain removed]/hottt.pif

Note: The Link must be clicked, the file downloaded, and then executed. The file hottt.pif is a copy of the worm. It is a self-extracting rar file.

2. Drops the following files in the folder in which the worm was originally executed:

  • Link.exe
  • buddie.exe - a variant of W32.Spybot.Worm

3. Copies W32.Spybot.Worm as %System%\lsassx.exe and sets the file attributes to hidden, read only, and system.

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

4. Adds the value:

"Windows Taskmanager" = "lsassx.exe"

to the registry subkeys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\OLE

so that W32.Spybot.Worm runs every time Windows starts.

5. W32.Spybot.Worm attempts to spread by exploiting the following vulnerabilities:

  • The DCOM RPC vulnerability (as described in Microsoft Security Bulletin MS03-026) using TCP port 135.
  • The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011).

How to Recover if Your System Becomes Infected

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

  1. Disable System Restore (Windows Me/XP).
  2. Update the virus definitions.
  3. Run a full system scan and delete all the files detected as W32.Kelvir.E.
  4. Delete the value that was added to the registry.

For specific details on each of these steps, read the instructions posted on the Symantec Web site.

<< Kelvir Archive

<< Virus Archive
 

Home | Contacts | Policy Guidelines | System Procedures | Tools & Services | ALERTS | News & Articles