stevem2k

10+ variants of Kelvir trojan/worm reported today <grrr>

One we got
(14:11:44) <name>: lol you'll like this
(14:11:44) <name>: http://pictures.templates4fr1ends.com/gallery.php?email=<address>

(I have munged the link deliberately)


I have uploaded the sample to webimmune ~ Analysis ID: 1746512


Steve

Redkop

Any idea how to get rid of it as fulham71 keeps sending it to me?

Markus

Lynne,
If you've got Norton, get the latest update and it should fix it. Have a peek here

I'd certainly get Paul to give it a go as well, as it sounds as though he might have been infected.

ChrisB

Tell him to switch off his PC until he disinfects it.

Redkop

I don't have Norton Mark. I have had to block him on MSN to stop it being sent through and I have posted in NSR to him too.

Markus

Lynne,
Bugger, I've had a look and can't find a stand-alone cleaner app for it.

Redkop

WTF do I do then? I didn't do 'save' on it but did do 'open'

Markus

I'm wondering if something like Spybot Search and Destroy or AdWare might kill it, it's worth a shot.

From the look of the defintion on Symantec's site it was only added yesterday, which would explain why there aren't any standalone chappies out there yet.

Redkop

I have run AVG and Spybot and it showed up nothing.

stevem2k

No , it's not picked up by spybot / adware or the M$ spyware software.

I have an extra.dat for ut back from webimmune if you are running McAFee a/v software.


Steve


Lynne, can you ring Paul ? - I don't have his number and he's on my msn contacts list too....

Redkop

Steve I don't have his number, I'm sorry. He was just a contact on my MSN list and haven't spoken to him in ages. I don't have McAfee either...

stevem2k

Ok , I'll txt tango see if he has it....

Redkop

Actually I do know someone who has it....

BRB

Redkop

Nope can't get it. Is there a demo MacAFee or anything I can download?

stevem2k

http://uk.mcafee.com/root/runapplication.asp?appid=73

Redkop

Am I missing summat Steve, there's no icon to do a scan?

stevem2k

I have phoned Paul.

It's missed even on the online scanner Lynne - I have just tried it...

Redkop

Búgger, what now then? Is there anyway to check PC to see if I have got it by using Search?

Markus

Steven,
Do you know what variants of Kelvir MacAfee currently detects?

stevem2k

up to AX I think Markus

This one isn't even 'named' to my knowledge.

stevem2k

OK ,

**caveat ** this may toast your system *** caveat ***


deleting windows\system32\run.exe



and the reg keys:

HKEY_CURRENT_USER\Software\Microsoft\OLE\windows run.exe
Windows\CurrentVersion\Run\windows run.exe
Windows\CurrentVersion\RunServices\windows run.exe

and a couple of other keys .. ( do a search on run.exe in regedit ) - the only 'good' ones were AUTORUN.EXE and CTRUN.EXE on mine.

exit and reboot.

The process hasn't restarted and the registry is still clean at the moment.


steve

Redkop

Can you explain that in simple terms please...

stevem2k

erm .. that was ...


Paul didn't have run.exe so your system might be slightly different too...


Steve

Redkop

I ran the MacAfee scan (it took ages) but it scanned over 50k files and found nothing.

stevem2k

if you bring up task manager and click on the processes tab is there a run.exe running ?

Steve

Redkop

Yes