Computer Protection Program Berkeley Lab
Computer Protection Program at Berkeley Lab Security
Ernest Orlando Lawrence Berkeley National Laboratory
Emergencies | Site Index | Contact Us
CPP Home
Contacts
Scan Information
Policy Guidelines
System Procedures
Tools & Services
ALERTS 
Recent CPP Actions
News & Articles
CPP Intranet
  ALERTS  
Viruses  

Kelvir.D Worm

W32.Kelvir.D worm (also known as the IM-Worm.Win32.Bropia.n, W32/Kelvir.worm.f, and W32/Bropia-G worm) is a worm that drops a variant of W32.Spybot.Worm and spreads through MSN Messenger and by exploiting vulnerabilities.

Note: Virus definitions 70307y (extended version 3/7/2005 rev. 25) or greater are required to detect this threat.

When W32.Kelvir.D is executed, it performs the following actions:

1. Sends the following message to all the MSN Messenger contacts on the compromised computer:

Body: haha look at us http://[domain removed]/youandme.pif

Note: The Link must be clicked, the file downloaded, and then executed. The file youandme.pif is a copy of the worm. It is a self-extracting rar file.

2. Drops the following files:

  • %Program Files%\Adware\Link.exe
  • %Program Files%\Adware\f.exe - a variant of W32.Spybot.Worm

    Note: %Program Files% is a variable. It refers to the folder that Windows installs applications to, and is usually on the same drive as the operating system is installed. It defaults to C:\Program Files.

3. Copies W32.Spybot.Worm as %System%\nvsc32.exe and sets the file attributes to hidden, read only, and system.

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

4. Adds the value:

"NvCplScan" = "nvsc32.exe"

to the registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce

so that W32.Spybot.Worm runs every time Windows starts.

5. Creates a service with the following properties:

Service name: NvCplScan
Display name: NvCplScan
Path to executable: %System32%\nvsc32.exe -netsvcs

6. Attempts to spread by exploiting the following vulnerabilities:

  • The DCOM RPC vulnerability (as described in Microsoft Security Bulletin MS03-026) using TCP port 135.
  • The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011).


How to Recover if Your System Becomes Infected

Removal using the W32.Kelvir.D Removal Tool
Symantec Security Response has developed a removal tool to clean the infections of W32.Kelvir.D. Use this removal tool first, as it is the easiest way to remove this threat. However, because of all the system changes this worm makes, users are cautioned that some manual cleanup of Kelvir.D is necessary after the tool is run.

Manual Removal:
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

  1. Disable System Restore (Windows Me/XP).
  2. Update the virus definitions.
  3. Run a full system scan and delete all the files detected as W32.Kelvir.D.
  4. Delete the value that was added to the registry.

For specific details on each of these steps, read the instructions posted on the Symantec Web site.

<< Kelvir Archive

<< Virus Archive
 

Home | Contacts | Policy Guidelines | System Procedures | Tools & Services | ALERTS | News & Articles