The first reports of Kelvir.A were on March 6th, 2005. Since the, as of September 14, 2005, 246 variants have been reported. The most recent, as of this article, was Kelvir.ii, reported by antivirus vendor Symantec on September 14, 2005.
Some Kelvir variants have been classified as Bropia worm variants. However, while both worms target MSN Messenger, the Bropia variants generally send infected files to MSN contacts while the Kelvir variants send URLS which point to infected/malicious files.
To entice the recipient into clicking the link, the Kelvir worms use a wide range of seemingly innocuous messages. Some of these include:
- omg this is funny!
- What a loser, who does something like this
- This face, it looks like a alien
- People say this is real, u might wanna check this out
- Who does something like this..
- Bleh :| What a filthy sh*t is this, dude check it out.
- :D:D wow check it
- :):) haha, this is cool
- (L) you check what i made
- :P Great stuff
- OMG :D This IS GREAT
- BLA :D BLABLA, im bored, look what i made.
- loool sure fat ppl is the best target for jokes hehe
- hahaaaa you are in the weebs picture!!
- Check me, i made this, very easy haha!
- Check this naked screensaver, wow, it's so cool!!
- Look what my dad gave me!!
- Wow, what a chick, she is so beautiful
The miscreant links point to infected files on remote servers, most of which are variants of the SDbot family. The SDbot family of worms and Trojans exploit various security vulnerabilities in order to spread and open a backdoor on infected users' systems. Some of these exploits include:
- Buffer Overflow in SQL Server 2000 (MS02-061)
- IIS5/WebDAV vulnerability (MS03-007)
- RPC / DCOM vulnerability (MS03-026)
- LSASS vulnerability (MS04-011)
The IRC backdoor installed by the SDbot Trojans leaves the user's system vulnerable to remote manipulation and further compromise. In addition, the infected system may have HTTP and FTP servers surreptitiously setup on them and these illicit servers could be used to host pornography, viruses, or other illegal material. Thus, not only is the infected user subject to compromise, they may find themselves subject to legal action.
To avoid infection by IM worms such as Kelvir, follow these Tips for IM Safety.
