|
Saturday, 23 April 2005 |
W32.Kelvir.AI is a worm that spreads a variant of W32.Spybot.Worm through MSN Messenger and exploits remote vulnerabilities.
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When W32.Kelvir.AI is executed, it performs the following actions:
Adds the value:
"load" = "[file path to the worm]"
to the registry subkey:
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows
so that W32.Kelvir.AI runs every time Windows starts.
Sends the following message to all the MSN Messenger contacts on the compromised computer:
Title: Paris Hilton agian !!!!
Body: http://[domain removed]s.net/pictures.php?email=[email address]
Notes:
A recipient must click on the link, download the file [email address], and then execute the file.
[email address] is an email address specified by the worm.
The file [email address] is a variant of W32.Spybot.Worm.
Copies the W32.Spybot.Worm variant as %System%prq8.exe. It sets the file attributes to hidden, read only, and system.
Adds the value:
"Data Restore Service" = "prq8.exe"
to the registry subkeys:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSoftwareMicrosoftOLE
so that the W32.Spybot.Worm variant runs every time Windows starts.
Attempts to spread itself by exploiting the following vulnerabilities:
The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026).
The Microsoft Windows ntdll.dll Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS03-007).
The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011).
The Microsoft Windows SSL Library Denial of Service Vulnerability (described in Microsoft Security Bulletin MS04-011).
The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit (as described in Microsoft Security Bulletin MS02-061).
The UPnP NOTIFY Buffer Overflow vulnerability (as described in Microsoft Security Bulletin MS01-059).
The DameWare Mini Remote Control Server Pre-Authentication Buffer Overflow vulnerability (as described in Bugtraq ID 9213.)
Network Shares with weak passwords.
Backdoors opened by variants of the W32.Beagle and W32.Mydoom worms, and by variants of Backdoor.Optix, Backdoor.NetDevil, Backdoor.Kuang, and Backdoor.Subseven.
The W32.Spybot.Worm variant can perform any of the following actions:
Open a back door on the compromised computer allowing a remote attacker to have unauthorized access.
Steal CD activation keys for many games.
Attempt to terminate processes and services.
Install keylogger.
Use the compromised computer as a traffic relay or proxy.
To delete the value from the registry
Click Start > Run.
Type regedit
Click OK.
Navigate to the subkey:
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows
In the right pane, delete the value:
"load" = "[file path to the worm]"
Navigate to the subkey:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSoftwareMicrosoftOLE
In the right pane, delete the value:
"Data Restore Service" = "prq8.exe"
Exit the Registry Editor.
|
