No replies to this topic

[Luke_Wilbur]

When W32.Kelvir.C is executed it performs the following actions:



Sends the following message to all the Windows Messenger and MSN Messenger contacts on the compromised computer:

hot pic!!~[Link to a Web site on the mxt-networkz.com domain]/parishilton.pif~

Notes:
A recipient must click on the link, download the file, and then execute parishilton.pif.
The www.mxt-networkz.com domain was unavailable at the time of writing.


Drops the following files in the folder in which the worm was originally executed:


Link.exe
mafia.exe - a variant of W32.Spybot.Worm


Once executed, the W32.Spybot.Worm variant copies itself as %System%\lsassx.exe. It sets the file attributes to hidden, read only, and system.


The W32.Spybot.Worm variant adds the value:

"Windows Taskmanager" = "lsassx.exe"

to the following registry subkeys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\OLE

so that it will execute when Windows starts.


Connects to an IRC server on TCP port 8080 on one or both of the following domains:


bla.m0ker.com
bla.w00pie.nl