W32.Kelvir.DD is a worm that spreads through MSN Messenger and drops a variant of W32.Randex.
When W32.Kelvir.DD is executed, it performs the following actions:
1. Creates a copy of itself as %Windir%\abcdefg.exe.
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
2. Adds the value:
"FILE" = "%Windir%\abcdefg.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts.
3. Adds the following entry to the hosts file:
127.0.0.1 messenger.hotmail.com
4. Sends the following message to all users in the MSN Messenger contact list:
guess what i found (h) [http://]www.cartoonics.nl/[REMOVED]/pic_44155.PIF
i guess i won the bet...
oops, sorry im talking to wrong person :$
5. Drops a copy of a variant of W32.Randex.
6. Attempts to open a back door, connecting to the procent.corsforcors.info domain on TCP port 8080.
REMOVAL INSTRUCTIONSSee:
http://securityresponse.symantec.com/avcenter/venc/data/w32.kelvir.dd.htmlTo delete the value from the registry 1. Click Start > Run.
2. Type regedit
3. Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
4. Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
5. In the right pane, delete the value:
"FILE" = "%Windir%\abcdefg.exe"
6. Exit the Registry Editor.
AlphaOne Technology Support Forums
Author
Logged
