TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_KELVIR.A
Overview
Solution

Malware type: Worm

Aliases: IM-Worm.Win32.Kelvir.a (Kaspersky), W32/Kelvir.worm.b (McAfee), W32.Kelvir!gen (Symantec), Worm/MSN.Kelvir.A (Avira), W32/Kelvir-B (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Description: 

This memory-resident worm spreads copies of itself via MSN Messenger, a popular instant messaging application. It attempts to send an instant message to all online MSN messenger contacts of an affected user, which contains a URL that downloads a copy of this worm into a system. The following is a sample of the message that it sends out:

omg this is funny! http://jose.ri<BLOCKED>a4.home.att.net/cute.pif

The given link downloads a copy of this worm on the system once the user clicks it. This file then downloads and executes malicious files from the following Web sites:

  • http://www.you<BLOCKED>te.com/file.exe
  • http://home.co<BLOCKED>st.net/~mdeely/patch.exe
  • http://home.<BLOCKED>hlink.net/~cheatworld/coming-soon.jpg

The downloaded file, PATCH.EXE, is detected by Trend Micro as WORM_SDBOT.AUI.

The downloaded file, COMING-SOON.JPG on the other hand, is detected by Trend Micro as WORM_AGOBOT.AOY.

For additional information about this threat, see:
Solution
Technical Details

Description created: Mar. 6, 2005 7:14:16 PM GMT -0800
Description updated: Mar. 28, 2005 10:07:36 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.