Worm.Kelvir.m，是一个蠕虫病毒，通过MSN通讯工具进行传播。并且会从网上下载一个后门病毒（Win32.Hack.RBot.78848），从而病毒散播者达到控制感染机器的目的。

病毒别名：

处理时间：2005-04-15

威胁级别：★★

中文名称：

病毒类型：蠕虫

影响系统：Win9x / WinNT

病毒行为:

1、将自身复制系统目录：

%SystemRoot%\\hosts.exe

2、在注册表中

HKEY_CURRENT_USER\\Software\\Microsoft\\CurrentVersion\\Run

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CurrentVersion\\Run

添加如下键值：

"Windows Host" = "%SystemRoot%\\hosts.exe"

保证每次开机时，病毒自动运行。

3、尝试从以下网站，下载一个后门（Win32.Hack.RBot.78848）

http://65.75.134.170/~wxwarez/

保存到本地

c:\\Service.exe

并且运行该文件，通过该文件，病毒撒播者可以控制感染机器

4、搜索所有MSN的好友，并向他们发送以下信息之一：

What a loser, who does something like this

Getting fucked is never the same, see this!

This face, it looks like a alien

People say this is real, u might wanna check this out

Who does something like this..

Bleh :| What a filthy sh*t is this, dude check it out.

5、消息中会包含以下网页链接之一：

http://checkthis.ubb.cc/

http://c*******s.dd.vg/

http://c*******s.100mbitde.info/

http://c****k.100mbitde.info/

http://***.100mbitde.info/

点击该网页链接后会下载该蠕虫

6、病毒会尝试中止以下服务：

Ahnlab Task Scheduler

altiris client service

ANTIVIR

ATRACK

avast! antivirus

avast! iavs4 control service

AVCONSOL

AVG6 Service

AVG7 Alert Manager Server

AVG7 Update Service

AVP control center service

AVP.EXE

AVP32

AVSync Manager

AVSYNMGR

Background Intelligent Transfer Service

BlackICE

carbon copy access edition

CFINET

CFINET32

config loader

Detector de OfficeScanNT

directupdate engine

dllhost

dns

eTrust Antivirus Job Server

etrust antivirus job server

eTrust Antivirus Realtime Server

etrust antivirus realtime server

eTrust Antivirus RPC Server

etrust antivirus rpc server

Eventask

FireBall

FireBaum

fix-it task manager

F-PROT95

FP-WIN

fxsvc

gear security

IAMAPP

ICMON

intel file transfer

intel pds

Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)

internet pr0tocol

InternetFirewallProc

IOMON98

iroff

Kaspersky

Kaspersky Antivirus

Kaspersky Anti-Virus

kaspersky auto protect service

Kaspersky Client

kav

KAV Moniter Service

kerio personal firewall

Kingsoft AntiVirus Service

LOCKDOWN2000

LUALL

LUCOMSERVER

MastDLL

MCAFEE

McAfee Agent

mcafee framework service

McAfee.com McShield

McAfee.com VirusScan Online Realtime Engine

mcshield

MonSvcNT

msclol2

msclol8

msinit

MsInt

MsIntScan

NAV Alert

NAV Auto-Protect

NAVAPW32

NAVW32

NISSERV

NISUM

NMAIN

noipducservice

NORTON

Norton Internet Security Proxy Srvice

Norton Internet Security service

Norton Unerase Protection

ntiVirus Corporate Edition

NVC95

nvscv

officescannt listener

OfficeScanNT Monitor

officescannt realtime scan

outpost firewall service

P2P Networking

Panda Antivirus

pcanywhere host service

PC-cillin Personal Firewall

PCCIOMON

PCCMAIN

PCCWIN98

POP3TRAP

psexesvc

Quick Heal Online Protection

RemoteAgent

remotely possible/32

rising process communication center

Rising Process Communication Center

rising realtime monitor service

Rising Realtime Monitor Service

rundll

SAFEWEB

savroam

ScriptBlocking Service

scvhost

secur2

Security Center

services32 service: msinit

servu

Serv-U

serv-u-ftp

smss

snake sockproxy service

Sophos Anti-Virus

Sophos Anti-Virus Network

Sygate Personal Firewall

Sygate Personal Firewall Pro

SyGateService

symantec antivirus

symantec central quarantine

symantec quarantine agent

symantec quarantine scanner

syslock

System Event Notification

systemsecuritydll

task manager

Trend Micro Proxy Service

Trend NT Realtime Service

V3MonNT

V3MonSvc

ViRobot Expert Monitoring

ViRobot Lite Monitoring

ViRobot Professional Monitoring

vnc server

VNC server

VSHWIN32

VSSTAT

WEBSCANX

WEBTRAP

win32sl

Windows Firewall

Windows Internet Connection Sharing(ICS)

ZoneAlarm