W32/Kelvir-BI

Aliases	Backdoor.Win32.VB.amp W32.Kelvir WORM_KELVIR.DD
Category	Viruses and Spyware
Type	Worm
What to do	Please contact support for assistance with removal.
Prevalence	low high

Summary


How it spreads	Chat programs Peer-to-peer
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	February 2006 (4.02)
Protection available since	8 December 2005 21:54:13 (GMT)
Detected by	All Sophos products

W32/Kelvir-BI is a worm and backdoor Trojan for the Windows platform.

W32/Kelvir-BI includes functionality to access the internet and communicate with
a remote server via HTTP.

W32/Kelvir-BI sends itself to MSN contacts with any of the following messages:

This is what i made for u (K)
What, damn i never seen this before if u do, let me know.
I think i love this person, it's so beautifull :$

W32/Kelvir-BI can also spread by copying itself to the download folders of the peer-to-peer networking applications Shareaza, Emule and Limewire.

When first run W32/Kelvir-BI copies itself to <Windows>\service.exe.

The following registry entries are created to run service.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Service
<Windows>\service.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Service
<Windows>\service.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Service
<Windows>\service.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Service
<Windows>\service.exe

The following registry entries are also set:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
1

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Get reports about the latest virus and spyware threats delivered to your computer