Jump to content
Washington DC Message Boards

W32.kelvir.c


Recommended Posts

When W32.Kelvir.C is executed it performs the following actions:

 

 

 

Sends the following message to all the Windows Messenger and MSN Messenger contacts on the compromised computer:

 

hot pic!!~[Link to a Web site on the mxt-networkz.com domain]/parishilton.pif~

 

Notes:

A recipient must click on the link, download the file, and then execute parishilton.pif.

The www.mxt-networkz.com domain was unavailable at the time of writing.

 

 

Drops the following files in the folder in which the worm was originally executed:

 

 

Link.exe

mafia.exe - a variant of W32.Spybot.Worm

 

 

Once executed, the W32.Spybot.Worm variant copies itself as %System%\lsassx.exe. It sets the file attributes to hidden, read only, and system.

 

 

The W32.Spybot.Worm variant adds the value:

 

"Windows Taskmanager" = "lsassx.exe"

 

to the following registry subkeys:

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\

RunServices

HKEY_CURRENT_USER\Software\Microsoft\OLE

 

so that it will execute when Windows starts.

 

 

Connects to an IRC server on TCP port 8080 on one or both of the following domains:

 

 

bla.m0ker.com

bla.w00pie.nl

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...