Luke_Wilbur Posted March 7, 2005 Report Share Posted March 7, 2005 When W32.Kelvir.C is executed it performs the following actions: Sends the following message to all the Windows Messenger and MSN Messenger contacts on the compromised computer: hot pic!!~[Link to a Web site on the mxt-networkz.com domain]/parishilton.pif~ Notes: A recipient must click on the link, download the file, and then execute parishilton.pif. The www.mxt-networkz.com domain was unavailable at the time of writing. Drops the following files in the folder in which the worm was originally executed: Link.exe mafia.exe - a variant of W32.Spybot.Worm Once executed, the W32.Spybot.Worm variant copies itself as %System%\lsassx.exe. It sets the file attributes to hidden, read only, and system. The W32.Spybot.Worm variant adds the value: "Windows Taskmanager" = "lsassx.exe" to the following registry subkeys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServices HKEY_CURRENT_USER\Software\Microsoft\OLE so that it will execute when Windows starts. Connects to an IRC server on TCP port 8080 on one or both of the following domains: bla.m0ker.com bla.w00pie.nl Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.