|
Monday, 18 July 2005 |
W32.Kelvir.FK is a worm that spreads through MSN Messenger and drops a copy of W32.Spybot.Worm.
Type: Worm
Infection Length: 110,053 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When W32.Kelvir.FK is executed, it performs the following actions:
Copies itself as %System%msmnwin.exe.
Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
Adds the value:
"MSN Registry loader" = "msmnwin.exe"
to the registry subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
so that the risk runs every time Windows starts.
Drops the file C:mswindrvr.exe, which copies itself as %System%msnmesgr.exe (W32.Spybot.Worm) and executes it.
.
Sends the following message to all the MSN Messenger contacts on the compromised computer:
[http://]www.a11serv.com/[REMOVED]/pics.php?data=[EMAIL ADDRESS]
Is this your picture?
Note: [EMAIL ADDRESS] is the email address of the recipient taken from their MSN profile. If a recipient clicks on the URL above a copy of W32.Kelvir.FK will be downloaded and executed on the compromised computer.
========================================================
To delete the value from the registry
Click Start > Run.
Type regedit
Click OK.
Navigate to the subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
In the right pane, delete the value:
"MSN Registry loader" = "msmnwin.exe"
Exit the Registry Editor.
|
