Kelvir (Some variant that I dont know)

Hello guys,

Today I fixed a computer infected with Kelvir (some variant).
As my client said, she clicked on a link from messenger that say something like: “picture of you”.

Virusscan was installed and update in that machine…And for my nightmare it didnt stop the infection and not found anything in memory, folders… nothing! So I started to remove it by hand

There was a viral processing running called “microsoftsa32.exe”.
The fun part is that this proccess wasnt related to any file… Theres was not any file called microsoftsa32.exe! This freak me out. Very weird… Anyway, I entered in safe mode, and the proccess was not running… (Good thing), so I removed the auto entry from registry… And when I entered in normal mode… Bump! It was running again, with the auto start set up again! Geez, I almost died… But then I finished the proccess and removed an auto start entry in services and everything got fine.

So then, I removed mcafee and installed avast! Run Avast and nothing was found… (It was in the default mode + isnide archives) How a virus just desapears only finishing its proccess? It was to easy? No file in any place… ???

After this little history, my question is:

Avast could prevent this infection? It seems that mcafee doesnt have the necessary tools to prevent it or remove… The IM provider of Avast has a way to block something like that?

And Avast can remove viral infections that doesnt have a file? Only proccess? That scan that happens when you open the Avast scan would found this infection?

That was the most weird infection that I ever saw… I hope that Avast could prevent things like it (and make me love it more and more)… Because Mcafee (for my surprise, didnt)

Oh, by the way, the boot time scan that Avast provides to XP would be of any help in this case (without the need to enter in safe mode?)?
Thanks for your time,

Elminster

Today morning I had a similar experience opening a .jpg file using the internal microsoft image viewer. The difference is that i was not surfing. Avast launched a 1 millisecond yellow alarm and it was impossible read anything. After millions of scans, also with online Panda and Trend-Micro scans, and after analysis by spybot, microsoft beta, adaware… nothing!!! maybe a false alarm when certain images are opened. Have you an idea? Conflicts?

Hello,

Thanks for the reply.

In the case of the girl, it seems to be an .exe that infected her… And cames from MSN… In your case did you saw a proccess called microsoftsa32.exe too?

Thanks for your time,

Elminster

I forgot to say you this: the .jpg is on my HD but it come from a MSN chat. It don’t have strange or suspect extension (no camuflage like “xy.jpg.exe” or other).
No traces of “microsoftsa32.exe”.

Hi,

Its the worm that was spreading though MSN messenger, it infects the users pc then auto sends itself to everyone on the infected users MSN contact list, but you have to press accept to have this file download to you (be careful what you accept on MSN messenger), make sure she has the latest MSN messenger and also look here for you Kelvir variant: http://www.sarc.com/avcenter/venc/data/pf/w32.kelvir.x.html

You may want to post a hijackthis log of the system here so we can check it out.

–lee

Thanks for the replies,

I already finished my work there, the virus was already removed… Thanks for the help… :slight_smile: I dont know what version of msnshe was using… But i believe that was one of the latest…

I saw this page from symantec in her home to get an idea of waht I was dealing with… The weird part is that the only file present there was the microsoftsa32.exe, that was a proccess…
The files dave.exe and kevin2.exe, nor even the folder… was present in her computer…I dont know if mcafee got before some of this stuff, cause it doesnt have a log… And nor even was spybot there too… Nothing was found by avast or mcafee…And the porccess was gone after some restarts to make sure… Also the auto start was gone too…

I just hope that Avast could prevent it to happen again…(Because mcafee didnt for my surprise… :slight_smile: )

Thanks for your time,

Elminster