ENSRT Incident Note ETS-i-2005-12563
The Enterasys Networks Security Response Team (ENSRT) publishes incident notes to provide information for our constituents to raise awareness of issues deemed threatening to the security and integrity of our customers.
Worm - WORM_KELVIR.AH
Release Date: 04/29/2005
Last Updated:
Overview
WORM_KELVIR.AH spreads through the MSN Messenger application via an embedded url within the instant message. The embedded url is a link to a downloadable version of the worm. If the worm is downloaded and launched, the Windows PC becomes infected with the Kelvir worm and drops a backdoor trojan onto the infected system.
Details below describe the characteristics of the WORM_KELVIR.AH worm, as well as provide detection, containment, and prevention techniques available through Enterasys Secure Networks solutions.
Systems affected
Windows operating systemsSystems not affected
Linux and MAC/OSXDescription
The WORM_KELVIR.AH worms arrive on the user's PC via an MSN Messenger instant message from a known contact. The instant message displayed is any one of the following:
- Damn this is cool
- HAHA CHECK THIS!!
- Nice site, i love it
- I love u, look what i made
- Great stuff, check this out
- Je moeder joh, haha. This is so cool.
- Never seen this before :
- Great preview for the newest movie
- This is sick shit, did u ever see this ?
- This is u i made it, hehe check it out
- Got this from a friend, it's him.
- Owwkkeee..., is goed. Check this out!! :D
Each of the above instant messages is accompanied with an embedded url pointing to a downloadable copy of the Kelvir worm. If the url is selected, downloaded, and executed the PC will become infected.
Once executed, the Kelvir worm places a copy of itself into the Windows installation directory, adds registry entries to ensure startup at Windows boot time, and terminates services and processes which are often related to security software.
Next, the Kelvir worm attempts further proliferation by sending all MSN Messenger contacts from the infected machine the previously described instant message with embedded url.
Lastly, the Kelvir worm attempts to download a trojan named WORM_RBOT.BIX from the Internet. The WORM_RBOT.BIX trojan has the capability of opening a backdoor by creating an IRC session to an Internet based IRC server, joining a specific channel, and waiting for commands from a remote attacker.
Threat Assessment
MSN Messenger worms if not addressed through prudent remediation steps may impact individual system performance and compromise security settings by allowing unauthorized remote access to the compromised host.
Trojans or backdoor listeners if not addressed through prudent remediation steps, can compromise network and host security. Additionally, trojans and backdoor listeners potentially allow theft of information, unauthorized remote access, and damage to critical files.
Remediation
| Matrix N7 | X |
| Matrix E7 | X |
| Matrix E6 | X |
| Matrix E5 | X |
| Matrix E1 | X |
| VH | X |
| C-Series | X |
Detection
A specific set of Dragon signatures with the prefix "ENSRT:WORM-KELVIR-AH" have been created to detect the WORM_KELVIR.AH worm. These signatures can be retrieved via Dragon Live Update and are located in the Master Library within the ENSRT category. By copying the WORM_KELVIR.AH signatures into a custom library and deploying on a Dragon network sensor that protects traffic flows to the Internet, successful detection of infected end-user class machines can occur.
NOTE: All signatures in the ENSRT library are disabled by default. These signatures must be enabled after they are imported into a custom library if they are to be successfully deployed.
Prevention
Trusted End System solutions are capable of monitoring various end system activity. TES is able to take immediate action such as firewalling specific IPs, TCP/UDP ports, applications, or placing the user into a Quarantine policy or VLAN until end system threat is mitigated. Learn more at: http://www.enterasys.com/solutions/secure-networks/trusted_end_system/
Containment
The Enterasys Dynamic Intrusion Response (DIR) solution can be utilized to remove infected end-users from the enterprise network by detecting the infection with a Dragon NIDS signature (see "Detection" section of this report), locating the user's connection point using Automated Security Manager's location services module, and either placing the user in a quarantine VLAN or disabling the associated switch port for the user.
Repair
Monitor Dragon Realtime Console for alerts that end-user PCs have become infected with the virus. If utilizing the DIR solution, users can either be expunged from the network or placed in a quarantine VLAN. Once isolated, see your anti-virus vendor for Windows repair procedures for infected users.
References
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FKELVIR%2EAH&VSect=T
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.BIX
This document and the information contained herein are intended solely for informational use. Enterasys Networks, Inc. makes no representations or warranties of any kind, whether expressed or implied, with respect to this information and assumes no responsibility for its accuracy or completeness. Enterasys Networks, Inc. hereby disclaims all liability and warranty for any information contained herein and all the material and information herein exists to be used only on an "as is" basis. More specific information may be available on request. By your review and/or use of the information contained herein, you expressly release Enterasys from any and all liability related in any way to this information.
A copy of the text of this section is an uncontrolled copy, and may lack important information or contain factual errors. All information herein is Copyright ©Enterasys Networks, Inc. All rights reserved. All information above is subject to change without notice.
Revision History:
|
Version: 1.0 |
Date: 04/29/2005 |
Author: ENSRT STAFF |
Change |