Method of infection
The URL sent by Kelvir.A points to a malicious website containing 'me.jpg' (copied to the system as DUMPREP.EXE and 'file.exe'.
The URL sent by Kelvir.B points to a malicious website containing 'patch.exe' and 'file.exe'.
When the URL is clicked, an attempt is made to download the two files to the user's system, thus spreading the infection. The Kelvir worms include variants of the SDbot Trojan. These SDBot Trojans set up a backdoor through use of an Internet Relay Chat (IRC) bot that listens for remote commands from the attacker. Once communciation between the bot and the attacker has been established, the attacker is able to gain remote control of the affected system.
Removal
When any infection involves a backdoor or remote-access Trojan, manual removal is not recommended. The Kelvir worms include variants of the SDbot backdoor Trojans. Use up-to-date antivirus software to scan the entire system, removing any infections found. Always keep your antivirus software engine and definition files up-to-date. An older version with new definitions is much less effective than the newest version with the newest definitions. Scan your complete system at least weekly. Most antivirus software includes comprehensive scheduling options that allow you, for example, to schedule full system scans to run during periods when the computer is not in use. Obviously, the system must be turned on for the scheduled scan to take place.
Prevention
Do not click links received via Instant Messenger (including links contained in 'away' messages) without first checking with the sender to determine whether the link was sent/included deliberately.
