Aliases: N/A
Variants: W32.Kelvir.Worm.a, W32.Kelvir.Worm.f, W32.Kelvir.Worm

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 03 Jun 2005
Damage: Medium

Characteristics: W32.Kelvir!gen is a generic worm that detects variants of the W32.Kelvir family of worms. The W32.Kelvir family of worms are Visual Basic Applications that are based on Messenger Type Library. These worms spread using Windows Messenger or MSN messenger.

More details about W32.Kelvir!gen

The worm W32.Kelvir!gen is a generic detection covering the W32.Kelvir.worm variants. It is packed using UPX and Morphine packers. It uses Windows Messenger or MSN Messenger as a means of propagation. It installs a variant of the W32.Sdbot.worm along with it. It spreads by loading all contacts on MSN Messenger and sending an instant message to every contact on the list. The message uses a social engineering approach. It tempts the remote user who receives the message to click on a hyperlink. The hyperlink points to a website that hosts the worm. When the user downloads and runs the remotely hosted executable, a copy of W32.Kelvir worm and a variant of W32.Spybot.Worm are copied into the computer. W32.Kelvir worms function as a "replication vehicle" for the W32.Spybot.Worm.

Every second sample of the W32.Kelvir worm contains the string "The RPMiSO Group" in its body. The worm does not create any registry run keys or shortcuts. It also does not automatically install itself on the system. When executed, the W32.Kelvir worm copies itself to the hard disk and creates its own registry value. It runs when the Windows operating system starts. It can setup new malware on the victim computer without the user’s knowledge. It can execute the new malware or register it to permit autorun configuration. The program can also secretly monitor the user’s activities. It can collect sensitive information such as websites visited and the user’s Internet surfing habits. The malware can also change the settings of the victim computer and redirect the activity of the Web browser. It is believed that these actions may result into slower connection speeds, changes in home pages, and loss of Internet or other programs’ functionality.