W32/Kelvir!worm

description-logoAnalysis

  • Copies itself to the Windows folder as termsvrs.exe.
    Autostart Mechanism
  • Registers itself as a service named P-SYS  to ensure loading during the Windows start up process.
    Network Propagation
  • The virus enumerates network shares, and copies itself to the following folders:
    • d$\windows\system32
    • d$\winnt\system32
    • c$\windows\system32
    • c$\winnt\system32
    • Admin$\system32
    • Admin$

    If the shares are password-protected, it attempts to gain access by using the following user names and passwords:
    • admin
    • server
    • asdfgh
    • !@#$undefined
    • !@#$undefined
    • !@#$undefined
    • 654321
    • 123456
    • 12345
    • administrator

  • This worm also takes advantage of the following Windows vulnerabilities to propagate across networks:

    Backdoor and/or Trojan Behavior
  • Connects to the Internet Relay Chat (IRC) server 70.84.27.34  on TCP port 6522 to await instructions and commands from a remote user.
  • Modifies the following registry entries:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
      DoNotAllowXPSP2 = dword:00000001
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger
      Start = dword:00000004
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
      Start = dword:00000004
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
      Start = dword:00000004
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
      UpdatesDisableNotify = dword:00000001
      AntiVirusDisableNotify = dword:00000001
      FirewallDisableNotify = dword:00000001
      AntiVirusOverride = dword:00000001
      FirewallOverride = dword:00000001
  • Drops the file rofl.sys to the System folder. This worm component is used in hiding the worm process. It is detected as W32/Aimbot.AF!tr.bdr.
  • Attempts to contact scripts at the following addresses:
    • http://hpc{REMOVED}y.com/mute/c/prxjdg.cgi
    • http://www.a{REMOVED}e.jp/x/maxwell/cgi-bin/prxjdg.cgi
    • http://www2.do{REMOVED}e.jp/tomocrus/cgi-bin/check/prxjdg.cgi
    • http://cgi1{REMOVED}r.jp/little_w/prxjdg.cgi
    • http://yi{REMOVED}a.com/prxjdg.cgi

recommended-action-logoRecommended Action

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2024-03-27 92.02821
2024-02-13 92.01532
2023-12-25 92.00041
2023-11-06 91.08547
2022-05-25 90.02622
2020-10-20 81.23000 Sig Updated
2020-09-15 80.39200 Sig Updated
2020-08-25 79.87700 Sig Updated
2020-07-13 78.86400 Sig Updated
2020-03-04 75.72300 Sig Updated