Unexplained Mysteries Discussion Forums

Unexplained Mysteries Discussion Forums > Other > Computers, Gaming & The Internet

Mad Manfred

Apr 23 2005, 11:27 PM

http://www.symantec.com/avcenter/venc/data....kelvir.aj.html

When W32.Kelvir.AJ is executed, it performs the following actions:

Sends the following message to all the MSN Messenger contacts on the compromised computer:

Title: lol look at this
Body: http://[domain removed]us/gallery.php?email=[email address]

Notes:
A recipient must click on the link, download the file [email address], and then execute the file.
[email address] is an email address specified by the worm.
The file [email address] is a variant of W32.Spybot.Worm.

Copies the W32.Spybot.Worm variant as %System%\mssmmspgr.exe. It sets the file attributes to hidden, read only, and system.

Adds the value:

"MSN MMISSENGER" = "mssmmspgr.exe"

to the registry subkeys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\OLE

so that the W32.Spybot.Worm variant runs every time Windows starts.

Attempts to spread itself by exploiting the following vulnerabilities:

The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026).
The Microsoft Windows ntdll.dll Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS03-007).
The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011).
The Microsoft Windows SSL Library Denial of Service Vulnerability (described in Microsoft Security Bulletin MS04-011).
The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit (as described in Microsoft Security Bulletin MS02-061).
The UPnP NOTIFY Buffer Overflow vulnerability (as described in Microsoft Security Bulletin MS01-059).
The Workstation Service Buffer Overrun vulnerability (as described in Microsoft Security Bulletin MS03-049) . Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03-049.
The DameWare Mini Remote Control Server Pre-Authentication Buffer Overflow vulnerability (as described in Bugtraq ID 9213.)
The VERITAS Backup Exec Agent Browser Remote Buffer Overflow Vulnerability (as described here).
Network Shares with weak passwords.
Backdoors opened by variants of the W32.Beagle and W32.Mydoom worms, and by variants of Backdoor.Optix, Backdoor.NetDevil, Backdoor.Kuang, and Backdoor.Subseven.

The W32.Spybot.Worm variant can perform any of the following actions:

Open a back door on the compromised computer allowing a remote attacker to have unauthorized access.
Steal CD activation keys for many games.
Attempt to terminate processes and services.
Install keylogger.
Use the compromised computer as a traffic relay or proxy.

I've gotten a few MSN's from people on these boards, so if you get anything from me like this don't open the link.

My current nick is "Anon" and email is zzzzzax@hotmail.com.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.