Symantec Issues Warning Of W32.Kelvir.D Worm

Symantec Issues Warning Of W32.Kelvir.D Worm

W32.Kelvir.D is a worm that spreads through MSN Messenger. Once a machine is infected, the worm will send the following message to all the MSN Messenger contacts on the compromised computer - "haha look at us http://designoflife.net/youandme.pif.

This threat is unique as the original worm, W32.Kelvir.D will load a variant of the W32.Spybot.worm on the user's machine. W32.Spybot then attempts to spread itself by exploiting the Microsoft Windows DCOM/RPC Buffer Overrun vulnerability and the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (LSASS) vulnerability. Both of these vulnerabilities are over one year old. User interaction is needed for this worm to spread.

"Although we are not seeing large spread of this new worm in-the-wild, this new threat is the latest example of why it is critical that both consumers and enterprises apply patches to vulnerabilities, said Alfred Huger, senior director, Symantec Security Response. "Once a machine is infected, W32.Kelver will then install a separate worm, W32.Spybot. W32.Spybot leverages two Microsoft vulnerabilities that are well over one-year old."

Symantec Security Response has received a total of 12 submissions - 4 from corporate customers. Symantec has seen four variants of this particular IM threat, Kelvir, in less than one week. This type of activity and the large population of people using Instant Messaging, reinforces Symantec's view that IM-based threats will continue to rise in the future. Forty-two percent of online Americans use instant messaging, and 24 percent of instant messengers say they use IM more frequently than e-mail. (Pew Internet & American Life Project, Sept. 1, 2004)

More information can be found at http://securityresponse.symantec.com/avcenter/venc/data/w32.kelvir.d.html.

© Scoop Media