W32/Kelvir-B will attempt to download a file named PATCH.EXE from a remote website and save it as C:\patch.exe
More information can be found at Sophos page.
W32.Kelvir.B is a worm that spreads through Windows Messenger and MSN Messenger and attempts to download and execute a variant of W32.Spybot.Worm, according to Symantec.
Technical details can be found at this Symantec page.
According to McAfee, which also issued an alert, W32/Kelvir.worm.b spreads via MSN Messenger. Contact List recipients:
omg this is funny! http:// {blocked}.home.att.net/cute.pif
note: the actual address has been blocked here to prevent infection.
Following the hyperlink in the email messages may result in the worm file being downloaded and subsequently executed by the user. Once infected, the worm may also attempt to download a new W32/Sdbot.worm variant from the following site:
http://home.comcast.net/ {blocked}/patch.exe
note: the actual address has been blocked here to prevent infection.
More information can be found at this McAfee page.
Trend Micro has declared a medium risk alert to control the spread of Worm_Kelvr.B, a new Kelvir variant that is currently spreading in Korea and the United States.
This memory-resident worm spreads copies of itself via MSN Messenger, a popular instant messaging application. It attempts to send an instant message to all the MSN messenger contacts of an affected user that are online. This message contains a URL that downloads a copy of this worm into a system.
This file then downloads and executes malicious files from the following Web sites: http://home.earthnk.net/~gallery10/me.jpg
http://www.yourte.com/file.exe
The downloaded file, ME.JPG, is detected by Trend Micro as Worm_Sdbot.Auk.
Technical details can be found at this Trend Micro page.
3/7: Kelvir-B an Instant Messaging Worm
