When W32.Kelvir.C is executed it performs the following actions:
Sends the following message to all the Windows Messenger and MSN Messenger contacts on the compromised computer:
hot pic!!~[Link to a Web site on the mxt-networkz.com domain]/parishilton.pif~
A recipient must click on the link, download the file, and then execute parishilton.pif.
The www.mxt-networkz.com domain was unavailable at the time of writing.
Drops the following files in the folder in which the worm was originally executed:
mafia.exe - a variant of W32.Spybot.Worm
Once executed, the W32.Spybot.Worm variant copies itself as %System%\lsassx.exe. It sets the file attributes to hidden, read only, and system.
The W32.Spybot.Worm variant adds the value:
"Windows Taskmanager" = "lsassx.exe"
to the following registry subkeys:
so that it will execute when Windows starts.
Connects to an IRC server on TCP port 8080 on one or both of the following domains:
No replies to this topic
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users