high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 24 October 2005 08:17:51 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Kelvir-AX is an Instant Messenging worm and a backdoor Trojan for the Windows platform.
W32/Kelvir-AX runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. The worm contains functionality to download, install and run new software.
W32/Kelvir-AX includes functionality to:
- steal confidential information
- carry out DDoS flooder attacks
- silently download, install and run new software
- disable other software, including anti-virus, firewall and security related a
pplications
- modify the HOSTS file
When run W32/Kelvir-AX attempts to copy itself to <System>\<random>\svshost.exe.
The following registry entries may be created to run svshost.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random>
<System>\<random>\svshost.exe
W32/Kelvir-AX may attempt to spread by sending itself from addresses harvested from AOL Instant Messenger and MSN Messenger.
The message text typically contains:
Hej, download free Emotions and more Extras for your messenger here:
Are you bored of your emotions and winks? download this :
Hey, I found new Winks, Emoticons and alot more for your messenger. Check them out here :
Messeger PLUS just have been released. Check it out, it got alot of extra features that makes your Messenger alot better!
Hej, you got the new Messenger ? :D
Messenger Plus 6.0 Beta has been released....get it here :)
Hej, wanna upgrade your Messenger :D ?
lmao, this is awesome!
lol I just updated my Messenger and I can tell you its awsome!
Check this out bro, its awsome :D !!
LMAO, you should get the new Messenger Plus Add-In...its awsome! :D
ROFL!! this is the funniest things i've ever seen!
LoL dude, you gotta see this!
lmao this is cracking me up...
Mate, you have got to see this!
W32/Kelvir-AX attempts to disable security and anti-virus processes matching the following names:
MCAgentExe
MCUpdateExe
VirusScan Online
VSOCheckTask
Symantec NetDriver Monitor
Outpost Firewall
KAVPersonal50
Zone Labs Client
mcupdmgr.exe
McShield
MCVSRte
MpfService
Symantec Core LC
ccEvtMgr
SNDSrvc
ccProxy
ccPwdSvc
ccSetMgr
SPBBCSvc
SAVScan
SBService
SmcService
OutpostFirewall
CAISafe
PcCtlCom
W32/Kelvir-AX may attempt to modify the HOSTS file, changing the URL-to-IP mappings for selected websites, therefore preventing normal access to these sites:
127.0.0.1 avp.com
127.0.0.1 www.avp.com
127.0.0.1 ca.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 fastclick.net
127.0.0.1 ftp.f-secure.com
127.0.0.1 ftp.sophos.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 www.microsoft.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 vil.nai.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.awaps.net
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.fastclick.net
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www3.ca.com
127.0.0.1 www.grisoft.com
127.0.0.1 grisoft.com
127.0.0.1 housecall.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 pandasoftware.com
127.0.0.1 kaspersky.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.zonelabs.com
127.0.0.1 zonelabs.com
127.0.0.1 antivir.com
127.0.0.1 antivir.de
127.0.0.1 www.spywareinfo.com
127.0.0.1 spywareinfo.com
127.0.0.1 www.merijn.org
127.0.0.1 merijn.org
W32/Kelvir-AX also attempts to terminate the following processes:
msconfig.exe
kav.exe
kavsvc.exe
mcvsshld.exe
mcagent.exe
mcvsrte.exe
mcshield.exe
mcvsftsn.exe
mcdash.exe
mcinfo.exe
mpfagent.exe
mpftray.exe
mpfservice.exe
mskagent.exe
mcmnhdlr.exe
sndsrvc.exe
usrprmpt.exe
ccapp.exe
ccevtmgr.exe
spbbcsvc.exe
ccsetmgr.exe
symlcsvc.exe
npfmntor.exe
navapsvc.exe
issvc.exe
ccproxy.exe
navapw32.exe
navw32.exe
smc.exe
outpost.exe
zlclient.exe
vsmon.exe
isafe.exe
pandaavengine.exe
msblast.exe
penis32.exe
teekids.exe
bbeagle.exe
navapsvc
d3dupdate.exe
sysmonxp.exe
irun4.exe
mscvb32.exe
sysinfo.exe
mwincfg32.exe
wincfg32.exe
winsys.exe
zapro.exe
winupd.exe
enterprise.exe
regedit.exe
hijackthis.exe
gcasdtserv.exe
gcasserv.exe
pcctlcom.exe
tmntsrv.exe
tmproxy.exe
pccguide.exe
tmpfw.exe
pcclient.exe
AVGNT.EXE
AVWIN.EXE
taskmgr.exe
AVWUPSRV.EXE
ethereal.exe
W32/Kelvir-AX may also modify the Internet Explorer settings by changing the following registry entry:
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
|
