Ads W32.Kelvir.K Friday, 01 April 2005 W32.Kelvir.K is a worm that spreads through MSN Messenger and drops a variant of W32.Spybot.Worm. Type: Worm Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP When W32.Kelvir.K is executed, it performs the following actions: Sends the following link to all the MSN Messenger contacts on the compromised computer: [domain removed]/bigjump.com Notes: A recipient must click on the link, download the file, and then execute the file. The file bigjump.com is a copy of the worm. Its a self-extracting RAR file. At the time of this writing, the file is not available. Drops the following files: %ProgramFiles%MSSsex.exe %ProgramFiles%MSSown.exe Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:Program Files. sex.exe - a worm component that sends the above mentioned link to all the MSN Messenger contacts on the compromised computer. own.exe - a variant of W32.Spybot.Worm Copies itself as %System%msnmgsr.exe and sets the file attributes to hidden, read only, and system. Adds the value: "Microsoft System Services" = "msnmgsr.exe" to the registry subkeys: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun so that W32.Kelvir.K runs every time Windows starts. Attempts to spread itself by exploiting the following vulnerabilities: The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135, 445, 1025. The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011) using ports 139, 445. The Workstation Service Buffer Overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03-049. Attempts to enumerate users in order to copy itself to network shares. Can perform any of the following actions: Open a back door on the compromised computer allowing a remote attacker to have unauthorized access Steal CD activation keys for many games Attempt to end processes and services Install keylogger Use the compromised computer as a traffic relay or proxy Perform flooding To delete the value from the registry Click Start > Run. Type regedit Then click OK. Navigate to the following subkeys: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun In the right pane, delete the value: "Microsoft System Services" = "msnmgsr.exe" Exit the Registry Editor.   < Prev   Next > [ Back ]

Main Menu SpamAlerts | Windows | Linux | Tutorials | Excell | WhitePapers | News | Spam | Virus Windows Focus VNews Vulnerability Hacking Sql Injection map Downloads Affiliates Online Store Free Ringtones Seo Directory IWebListin Jobs in India Freshers Jobs listings. Winkeyfinder

Copyright 2005-2007 SpamAlertz.com, Content on this site is From variuos other emails, and Advisories.