McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• IM-Worm.Win32.Kelvir.a (AVP)

Characteristics

This worm spreads via MSN Messenger.  The worm, sends the following message to Contact List recipients:

omg this is funny! http:// {blocked}.home.att.net/cute.pif
note: the actual address has been blocked here to prevent infection.

Following the hyperlink in the email messages may result in the worm file being downloaded and subsequently executed by the user.  Once infected, the worm may also attempt to download a new W32/Sdbot.worm variant from the following site:

http://home.comcast.net/ {blocked}/patch.exe
note: the actual address has been blocked here to prevent infection.

Symptoms

MSN Messenger Contacts stating that you're sending them a hyperlink that you did not intentionally or knowingly send.

The worm does not create any registry run keys, shortcuts, or otherwise "install" itself on the system.

Method of Infection

This worm spreads by sending MSN Messenger Contacts a hyperlink pointing to a web site hosting the worm.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• IM-Worm.Win32.Kelvir.a (AVP)

Characteristics

Characteristics -

This worm spreads via MSN Messenger.  The worm, sends the following message to Contact List recipients:

omg this is funny! http:// {blocked}.home.att.net/cute.pif
note: the actual address has been blocked here to prevent infection.

Following the hyperlink in the email messages may result in the worm file being downloaded and subsequently executed by the user.  Once infected, the worm may also attempt to download a new W32/Sdbot.worm variant from the following site:

http://home.comcast.net/ {blocked}/patch.exe
note: the actual address has been blocked here to prevent infection.

Symptoms

Symptoms -

MSN Messenger Contacts stating that you're sending them a hyperlink that you did not intentionally or knowingly send.

The worm does not create any registry run keys, shortcuts, or otherwise "install" itself on the system.

Method of Infection

Method of Infection -

This worm spreads by sending MSN Messenger Contacts a hyperlink pointing to a web site hosting the worm.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A