high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 25 November 2005 09:56:19 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Kelvir-BC is a worm for the Windows platform.
W32/Kelvir-BC can spread via MSN Messenger. W32/Kelvir-BC will send one of the following messages to the contacts of an infected computer, accompanied with a link to the worm:
"naaao sam tvoju sliku"
"naael jsem tvoji fotku!"
"jeg fandt dit billede"
"ik vond uw foto"
"I found your photo"
"Leysin kuvasi"
"J'ai trouve votre photo"
"Ich hab dein Foto gefunden"
"brhka th foto sou"
"ho trovato la tua fotografia"
"Jeg fant bildet ditt"
"znalazlem twoje zdjecie"
"encontrei sua foto"
"ti-am gasit poza"
"encontre su fotograf"
"Jag hittade ett foto po dig"
"Resmini buldum"
W32/Kelvir-BC includes functionality to access the internet and communicate with a remote server via HTTP.
W32/Kelvir-BC may also attempt to disable the Windows Task Manager, Registry editor, and System Restore.
When first run W32/Kelvir-BC copies itself to <System>\nkn.exe and creates the file \NotKelvir.exe.
The following registry entry is created to run nkn.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSN Service Utilities
nkn.exe
The following registry entry is set:
HKLM\SOFTWARE\NotKelvir
OriginalPath
<pathname of the Trojan executable>
Registry entries are created under:
HKLM\SOFTWARE\NotKelvir\
|
