W32.Kelino.Worm


Aliases: Email-Worm.Win32.Kelino.a, I-Worm.Kelino.a, W32/Kelino.worm.gen, W32/Kelino-A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: N/A
Geographical info: North America
Removal: N/A
Platform: W32
Discovered: 10 Apr 2002
Damage: N/A

Characteristics: The worm W32.Kelino.Worm spread copies of itself through email. It sends email messages to all recipients listed in the infected user's Address Book. The worm also sends a mail to its author. The email that the worm sends to its author contains information about the infected system.

More details about W32.Kelino.Worm

The worm W32.worm propagates via the Internet by attaching itself to infected emails. It is a Windows PE EXE file written in Assembler. The email messages differ from one version to another. This worm is activated when a user clicks on the file attached to the email. The attachments read: "netbiospatch10.exe" or "secpatch10.exe". When the attachment has been opened, this worm installs itself to the system and executes. It copies itself into the Windows directory using either netbiospatch10.exe or secpatch10.exe as the filename. It registers itself in the system registry and displays a fake message afterwards. The message reads “KERNEL32 ERROR: Couldn't execute frame buffer!” The worm connects to the default SMTP server and sends infected messages to email addresses that it gathers from the WAB database.

A notification message with an empty body is sent to the author of this worm when it infects a system. The message has the characteristics: From: “Kelaino”, To: kelaino@freenet.de, and Subject: Slave Message. Once it is present in the computer, the W32.Kelino.Worm program may allow remote influence. Remote users can access the system through services such as Internet Relay Chat (IRC). The W32.Kelino.Worm software can log-in to an IRC channel and receive commands from its author. Unauthorized remote users can perform a number of covert activities that can be damaging to the computer. They can perform Denial of Service (DoS) attacks or gain personal information regarding the user. Remote users may also use the user’s computer to gain access to other machines.