|
Sunday, 08 May 2005 |
W32.Kelvir.BF is a worm that downloads a file and sends a message to all MSN messenger contacts on the compromised computer.
Type: Worm
Infection Length: 73,728 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When W32.Kelvir.BF is executed, it performs the following actions:
Copies itself as %Windir%svchoste.exe.
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:Windows or C:Winnt.
Adds the value:
"Windows Host Service" = "%Windir%svchoste.exe"
to the registry subkeys:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
so that it is executed every time Windows starts.
Sends one of the following messages to all of the MSN messenger contacts on the compromised computer:
:D:D wow check it
:):) haha, this is cool
(L) you check what i made
:P Great stuff
OMG :D This IS GREAT
BLA :D BLABLA, im bored, look what i made.
The message also contains one of the following links:
checkthis.ubb.cc
checkthis.dd.vg
checkthis.100mbitde.info
check.100mbitde.info
OMG.100mbitde.info
When the link is clicked, it redirects the browser to the IP address 65.75.134.170 and downloads services.exe, which is a copy of W32.Spybot.Worm.
Accesses the page "n?id=ADWTRAXnG2VDHToDo8SE/+JBkjnw" on the m1.nedstatbasic.net domain, which may be used as an infection counter.
Ends the following processes, some of which may be security-related:
ALOGSERV.EXE
ACKWIN32.EXE
ADVXDWIN.EXE
ALERTSVC.EXE
AMON9X.EXE
ANTI-TROJAN.EXE
ANTS.EXE
APVXDWIN.EXE
ATCON.EXE
ATUPDATER.EXE
ATWATCH.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCC32.EXE
AVGCTRL.EXE
AVGSERV.EXE
AVGSERV9.EXE
AVGW.EXE
AVKSERV.EXE
AVNT.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVSYNMGR.EXE
AVWIN95.EXE
AVWINNT.EXE
AVWUPD32.EXE
AVXMONITOR9X.EXE
AVXMONITORNT.EXE
AVXQUAR.EXE.EXE
AVXW.EXE
AgentSvr.exe
AutoTrace.exe
Avgctrl.exe
Avsched32.exe
BLACKD.EXE
BLACKICE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
EVPN.EXE
CLEANER.EXE
CLEANER3.EXE
CMGRDIAN.EXE
CONNECTIONMONITOR.EXE
CPD.EXE
CPDCLNT.EXE
DEFWATCH.EXE
DOORS.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
EFPEADM.EXE
ESAFE.EXE
ESPWATCH.EXE
ETRUSTCIPE.EXE
EXPERT.EXE
F-AGNT95.EXE
F-PROT.EXE
F-PROT95.EXE
F-STOPW.EXE
FINDVIRU.EXE
FP-WIN.EXE
FPROT.EXE
FRW.EXE
GENERICS.EXE
GUARD.EXE
GUARDDOG.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
VET95.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
IOMON98.EXE
ISRV95.EXE
InoRT.exe
InoRpc.exe
InoTask.exe
JEDI.EXE
LDNETMON.EXE
LDPROMENU.EXE
LDSCAN.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
LOOKOUT.EXE
LUALL.EXE
LUCOMSERVER.EXE
MCAGENT.EXE
MCMNHDLR.EXE
MCSHIELD.EXE
MCTOOL.EXE
MCUPDATE.EXE
MCVSRTE.EXE
MCVSSHLD.EXE
MGAVRTCL.EXE
MGAVRTE.EXE
MGHTML.EXE
MINILOG.EXE
MONITOR.EXE
MOOLIVE.EXE
MPFTRAY.EXE
MWATCH.EXE
N32SCANW.EXE
NAVAPSVC.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NDD32.EXE
VET32.EXE
NETUTILS.EXE
NISSERV.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NPROTECT.EXE
NPSSVC.EXE
NSCHED32.EXE
NTVDM.EXE
NTXconfig.exe
NUPGRADE.EXE
NVC95.EXE
NWService.exe
NWTOOL16.EXE
Navapw32.exe
NeoWatchLog.exe
Nui.EXE
PADMIN.EOUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCIOMON.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
PERSFW.EXE
POP3TRAP.EXE
POPROXY.EXE
PORTMONITOR.EXE
PROCESSMONITOR.EXE
PVIEW95.EXE
RAV7.EXE
RAV7WIN.EXE
REALMON.EXE
RESCUE.EXE
RTVSCN95.EXE
Realmon.exe
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SERV95.EXE
SMC.EXE
SPHINX.EXE
SPYXX.EXE
SS3EDIT.EXE
SWEEP95.EXE
SWNETSUP.EXE
SYMPROXYSVC.EXE
SYMTRAY.EXE
SymProxySvc.exe
TBSCAN.EXE
TC.EXE
TCA.EXE
TCM.EXE
TDS-3.EXE
TDS2-98.EXE
TDS2-NT.EXE
TFAK.EXE
VETTRAY.EXE
VIR-HELP.EXE
VPC32.EXE
VPTRAY.EXE
VSCAN40.EXE
VSCHED.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSMAIN.EXE
VSMON.EXE
VSSTAT.EXE
VbCons.exe
WATCHDOG.EXE
WEBSCANX.EXE
WEBTRAP.EXE
WFINDV32.EXE
WGFE95.EXE
WIMMUN32.EXE
WRADMIN.EXE
WRCTRL.EXE
ZAPRO.EXE
ZONEALARM.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
apvxdwin.exe
avkpop.exe
avkservice.exe
avkwctl9.exe
defscangui.exe
fameh32.exe
fch32.exe
fih32.exe
fnrb32.exe
fsaa.exe
fsav32.exe
fsgk32.exe
fsm32.exe
fsma32.exe
fsmb32.exe
gbmenu.exe
gbpoll.exe
iamapp.exe
netstat.exe
nisum.exe
ntrtscan.EXE
nvsvc32.exe
pavproxy.exe
pccntmon.EXE
pccwin97.EXE
pcscan.EXE
regedit.exe
sbserv.exe
sscansvc.exe
taskmgr.exe
vbcmserv.exe
vsmon.exe
zapro.exe
zonealarm.exe
ping.exe
cmd.exe
tracert.exe
mirc.exe
services.msc
Stops the following services, some of which may be security-related:
MCAFEE
WEBSCANX
ANTIVIR
TrueVector Internet Monitor
Norton AntiVirus Client
CFINET
wscsvc
SharedAccess
Event Log
Zonealarm
SAFEWEB
Norton Antivirus Auto Protect Service
Norton Internet Security Accounts Manager
Norton Internet Security Proxy Service
Norton Internet Security Service
Norton AntiVirus Server
Norton AntiVirus Auto Protect Service
CFINET32
Symantec AntiVirus Client
McShield
IPSEC Policy Agent
DefWatch
WMDM PMSP Service
Symantec Proxy Service
Symantec Event Manager
Norton AntiVirus Corporate Edition
ViRobot Professional Monitoring
AVP.EXE
ViRobot Expert Monitoring
savroam
symantec antivirus
ViRobot Lite Monitoring
PC-cillin Personal Firewall
Trend Micro Proxy Service
Trend NT Realtime Service
McAfee.com McShield
eTrust Antivirus Realtime Server
McAfee.com VirusScan Online Realtime Engine
McAfee Agent
SyGateService
Sygate Personal Firewall Pro
Sophos Anti-Virus
Sophos Anti-Virus Network
Ahnlab Task Scheduler
eTrust Antivirus Job Server
LOCKDOWN2000
ICMON
eTrust Antivirus RPC Server
V3MonNT
V3MonSvc
Quick Heal Online Protection
Kaspersky
Kaspersky Anti-Virus
Kaspersky Antivirus
Kaspersky Client
kaspersky auto protect service
kav
AVG6 Service
AVP32
NORTON
NVC95
FP-WIN
IOMON98
PCCWIN98
F-PROT95
F-STOPW
PVIEW95
NAVWNT
NAVRUNR
NAVLU32
NAVAPSVC
NISUM
SYMPROXYSVC
RESCUE32
NISSERV
ATRACK
IAMAPP
LUCOMSERVER
LUALL
NMAIN
NAVW32
NAVAPW32
VSSTAT
VSHWIN32
AVSYNMGR
AVCONSOL
WEBTRAP
POP3TRAP
PCCMAIN
PCCIOMON
MonSvcNT
rising process communication center
rising realtime monitor service
Windows Firewall
OfficeScanNT Monitor
RemoteAgent
Panda Antivirus
ZoneAlarm
Detector de OfficeScanNT
Norton Internet Security Proxy Srvice
Norton Internet Security service
Sygate Personal Firewall
Security Center
nvscv
Windows Internet Connection Sharing(ICS)
NAV Alert
NAV Auto-Protect
ScriptBlocking Service
Background Intelligent Transfer Service
System Event Notification
BlackICE
AVSync Manager
officescannt realtime scan
officescannt listener
services32 service: msinit
msinit
AVP control center service
KAV Moniter Service
P2P Networking
gear security
MastDLL
MsInt
MsIntScan
FireBall
FireBaum
Eventask
fxsvc
InternetFirewallProc
Serv-U
mcafee framework service
task manager
mcshield
config loader
iroff
servu
secur2
avast! iavs4 control service
avast! antivirus
fix-it task manager
dllhost
dns
outpost firewall service
scvhost
syslock
snake sockproxy service
msclol2
msclol8
systemsecuritydll
vnc server
intel pds
intel file transfer
internet pr0tocol
smss
rundll
Serv-U FTP Server
Norton Unerase Protection
AVG7 Alert Manager Server
AVG7 Update Service
kerio personal firewall
Rising Process Communication Center
Rising Realtime Monitor Service
Kingsoft AntiVirus Service
VNC server
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
symantec central quarantine
symantec quarantine agent
symantec quarantine scanner
psexesvc
etrust antivirus rpc server
etrust antivirus realtime server
etrust antivirus job server
remotely possible/32
win32sl
altiris client service
pcanywhere host service
carbon copy access edition
directupdate engine
noipducservice
To delete the value from the registry
Click Start > Run.
Type regedit
Click OK.
Navigate to the subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
In the right pane, delete the value:
"Windows Host Service" = "%Windir%svchoste.exe"
Exit the Registry Editor. |
