W32/Kelvir.AE!worm.im

Alias/esIM-Worm.win32.Kelvir.ae [KAV], W32/Kelvir.AE-net, W32/Kelvir.AV [FP], W32/Kelvir.worm.aj [Mcafee], W32/SDBot.6051-bdr
Release DateSep 22, 2005
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.323
Description

Visible Symptoms

  • Infection is spotted by the creation of new files and folders on the compromised system -

    new folder
    c:\Program Files\msn7

    new files
    c:\Program Files\msn7\msn.exe (11,776 bytes)
    c:\Program Files\msn7\system32.exe (33,280 bytes)
    c:\WINNT\system32\winshvc.exe (33,280 bytes)

  • Numerous registry modifications will occur on an infected system, including these -

    HKCU\Software\Microsoft\OLE
    "Windows Sz Host" = winshvc.exe

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    "Windows Sz Host" = winshvc.exe

    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    "Windows Sz Host" = winshvc.exe

    HKCU\Software\WinRAR SFX
    "C%%Program Files%msn7" = C:\Program Files\msn7

    HKCU\SYSTEM\CurrentControlSet\Control\Lsa
    "Windows Sz Host" = winshvc.exe

    HKLM\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters
    "TrapPollTimeMilliSecs" = 98, 3A, 00, 00

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "Windows Sz Host" = winshvc.exe

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    "Windows Sz Host" = winshvc.exe



Detailed Analysis

This virus has instructions to spread to other users by sending itself as an instant message to contacts listed in the Microsoft Messenger contact list. The virus may also connect to an IRC server and function as a backdoor Trojan responding to commands sent by a malicious user.

The virus, if run, will copy itself to the local system and modify the registry to load from the common "Run" and "RunServices" key hives.

Once the virus initiates it loads into memory and tries to send copies of itself to other systems by enumerating the contact list of MS Messenger and sending a simple message with an attachment to users in the list. Users that receive the file and run it begin the cycle over.

IRC Connection
The virus will try to connect with the IRC server 'br.sendusyour.info' and 'kc.myleftnut.info'. The "bot" component advertises its installation to hard-coded channels of these servers. Additionally, the virus will respond to command sent to it by a malicious user. Instructions include some of these -

c_action
c_pm
c_privmsg
gfile
getfile
clone
execute
update
delay
c_part
c_join
c_nick
c_mode
c_raw
repeat
mode
cycle
action
privmsg
addalias
dns
server
open
prefix
c_rn
c_rndnick
c_quit
killthread
raw
part
join
nick
uninst
remove
sysinfo
netinfo
log
aliases
threads
status
mirc
mirccmd
quit
disconnect
reconnect
ver
version
logout
die
rndnick

Description Last Updated Date: Apr 17, 2006
Reference: ID - 167043