Ads W32.Kelvir.Q Tuesday, 12 April 2005 W32.Kelvir.Q is a worm that spreads through MSN Messenger and drops a variant of W32.Spybot.Worm. Type: Worm Infection Length: 12,288 bytes Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP When W32.Kelvir.Q is executed, it performs the following actions: Sends the link [domain removed].us:81/crazy.scr with any of the following messages to all the MSN Messenger contacts on the compromised computer: Hey, i almost peed my pants when i saw this hahaha crazy bust check it out omg osoma, the feds finally got em look who they just captured wow the fbi is awesome Note: A recipient must click on the link, and download and execute the file. The file is a copy of the worm. The downloaded file is crazy.scr, which is a variant of W32.Spybot.Worm. Copies itself as %System%msmmsgr.exe. Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP). Adds the value: "MSN MESSENGER" = "msmmsgr.exe" to the registry subkeys: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices HKEY_CURRENT_USERSoftwareMicrosoftOLE so that the W32.Spybot.Worm variant runs every time Windows starts. Connects to mon.pj34r.us on TCP port 8126 in order to join an IRC channel and listen for commands that will allow the remote attacker to perform any of the following actions: End a process or thread Log keystrokes Open an HTTP server Redirect packets Download a file Execute a remote command Blink lights on a keyboard Open and close a CD-ROM drive Open, rename, and delete a file Restart the computer Scan ports To delete the value from the registry Click Start > Run. Type regedit Then click OK. Navigate to the following subkeys: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices HKEY_CURRENT_USERSoftwareMicrosoftOLE In the right panel, delete the value: "MSN MESSENGER" = "msmmsgr.exe" Exit the Registry Editor.   < Prev   Next > [ Back ]

Main Menu SpamAlerts | Windows | Linux | Tutorials | Excell | WhitePapers | News | Spam | Virus Windows Focus VNews Vulnerability Hacking Sql Injection map Downloads Affiliates Online Store Free Ringtones Seo Directory IWebListin Jobs in India Freshers Jobs listings. Winkeyfinder

Copyright 2005-2007 SpamAlertz.com, Content on this site is From variuos other emails, and Advisories.