Home Malware Programs Worms WORM_KELIHOS.NB

WORM_KELIHOS.NB

Posted: April 18, 2013

Threat Metric

Ranking: 9,982
Threat Level: 2/10
Infected PCs: 1,403
First Seen: April 18, 2013
Last Seen: October 11, 2023
OS(es) Affected: Windows

Very similar to recent RedKit Exploit Kit-based attacks that installed spyware, WORM_KELIHOS.NB is a variant of the Kelihos worm that is distributed through spam e-mail messages that appear to include links to videos about the Boston bombing of April 15th. Exposure to the site these links promote will expose your PC to a Blackhole Exploit Kit's drive-by-download attack, which may install WORM_KELIHOS.NB without needing your consent. WORM_KELIHOS.NB includes the self-distributing functions that SpywareRemove.com malware experts have expected of most worms, and also appears to target FTP account passwords for theft. In the event of any possible WORM_KELIHOS.NB attack, anti-malware software should scan both your default hard drive and any removable devices to remove WORM_KELIHOS.NB in its entirety.

WORM_KELIHOS.NB: When Spam Leaves a Bad Taste Behind

WORM_KELIHOS.NB, as a member of the Kelihos or Hlux botnet family, is well-known for including features that allow WORM_KELIHOS.NB to generate spam e-mail messages at high volumes by exploiting the resources of any already-infected computers. Attacks by this recent variant of Kelihos have taken a turn for the morbid, however, with WORM_KELIHOS.NB's e-mails being themed after the Boston Marathon bombing. WORM_KELIHOS.NB spam uses several different subject lines to convince any potential victims that the e-mail messages actually are offering videos related to that tragedy, in a strategy all but identical to similar RedKit Exploit Kit-based attacks.

Unlike the Redkit attacks, SpywareRemove.com malware experts found that sites promoted in WORM_KELIHOS.NB's spam e-mail links lead to a semi-functional video site that hosts a variant of the Blackhole Exploit Kit, one of the top malware delivery vehicles of 2012 (and, most likely, 2013). The Blackhole Exploit Kit analyzes the software on your PC to try to find a suitable vulnerability that can be used to download and install WORM_KELIHOS.NB automatically. Additionally, it should be mentioned that having outdated software drastically increases this risk.

Getting the Taste of a Worm Out of Your Mouth

WORM_KELIHOS.NB launches without your permission and will attack your PC without displaying any symptoms directly. SpywareRemove.com malware researchers caution that WORM_KELIHOS.NB may be used for other attacks but is particularly noteworthy for the following functions:

  • WORM_KELIHOS.NB, like many worms, tries to distribute itself through removable devices (such as your USB flash drive). By concealing the original files on these devices and replacing them with a link that launches WORM_KELIHOS.NB before allowing the files to be accessed, WORM_KELIHOS.NB enables its easy installation on any other PC that tries to access the compromised device.
  • WORM_KELIHOS.NB also steals accounts passwords, especially those that are associated with popular FTP management programs like FileZilla or LeapFTP.
  • Besides passwords, WORM_KELIHOS.NB also harvests any e-mail addresses on your hard drive – most likely to acquire new spam targets.

Containing WORM_KELIHOS.NB by avoiding the needless distribution of potentially compromised removable devices always should be a top priority. Competent anti-malware programs should be able to delete WORM_KELIHOS.NB, both in its local and removable variant, as long as they're not impeded by related PC threats.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



boston.avi_____.exe File name: boston.avi_____.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

Additional Information

The following URL's were detected:
media-cloud.ru
Loading...