Luke_Wilbur Posted March 7, 2005 Report Posted March 7, 2005 When W32.Kelvir.C is executed it performs the following actions: Sends the following message to all the Windows Messenger and MSN Messenger contacts on the compromised computer: hot pic!!~[Link to a Web site on the mxt-networkz.com domain]/parishilton.pif~ Notes: A recipient must click on the link, download the file, and then execute parishilton.pif. The www.mxt-networkz.com domain was unavailable at the time of writing. Drops the following files in the folder in which the worm was originally executed: Link.exe mafia.exe - a variant of W32.Spybot.Worm Once executed, the W32.Spybot.Worm variant copies itself as %System%\lsassx.exe. It sets the file attributes to hidden, read only, and system. The W32.Spybot.Worm variant adds the value: "Windows Taskmanager" = "lsassx.exe" to the following registry subkeys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServices HKEY_CURRENT_USER\Software\Microsoft\OLE so that it will execute when Windows starts. Connects to an IRC server on TCP port 8080 on one or both of the following domains: bla.m0ker.com bla.w00pie.nl Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.