Virus alert: medium risk alert issued for "WORM_ KELVIR.B" and "WORM_FATSO.A"

Both WORM_KELVIR.B and WORM_FATSO.A are memory-resident worms that spread copies of themselves to all online MSN Messenger contacts on the infected system.  The outgoing instant message contains a link to a web site(s); when the recipient clicks on the link, a copy of the worm is downloaded on the recipient's system.  WORM_FATSO.A also propagates via eMule, a peer-to-peer file sharing application.

The similarities between these worms may be attributed to MSN propagation code that has been posted to forums used by virus writers. 

WORM_FATSO.A drops several files onto affected systems - filenames range from celebrities ("Fat Elvis! Lol.pif", "Jennifer Lopez.scr") to the bawdy ("How a Blonde Eats a Banana.pif", "Topless in Miniskirt!lol.pif").
 
One of the files is a text file containing a personal message to "Larissa", the creator of the WORM_ASSIRAL.A (discovered mid-February), which was designed to terminate variants of the BROPIA worm, an MSN Messenger-based worm that began appearing earlier in the year.  WORM_ASSIRAL.A arrived as an email attachment, and caused the following text to appear on an infected machine: "Larissa - Anti-Bropia - Freeing the world of Bropia".  

The FATSO worm's message to Larissa is as follows:
Hey LARISSA f**k off, you f**king n00b!.. Bla bla to your f**king Saving the world from Bropia, the world n33ds saving from you!

'-S-K-Y-'-D-E-V-I-L-'
"It sounds comical, but these are like gang members that are tagging neighbourhoods - using malware creations as a vehicle to communicate insults at one another," commented Jamz Yaneza, senior virus researcher at TrendLabs. "The real losers in this game are the end users who are unaware their systems are being infected, or that back doors are being opened to their networks."

WORM_KELVIR.B arrives in a file about 46 KB in size. WORM_FATSO.A arrives in a file about 17 KB in size, and can be compressed in MEW format. Both worms affect Windows 95, 98, ME, NT, 2000 and XP platforms.

Trend Micro customers are protected through the latest pattern file, number 2.476.00.  Customers of Outbreak Prevention Services should download OPP 154 (or later) to help protect against spread of this threat.  For customers of Damage Cleanup Services, Damage Cleanup template # 551 should be downloaded to help with automated restoration of affected systems.   
Additionally, customers using Network VirusWall are protected through version 10189, available through Active Update Servers.

Other users should use Trend Micro's free online virus scanner, Housecall, which can be found at http://housecall.trendmicro.com/ For more information on WORM_KELVIR.B, please visit http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KELVIR.B
For more information on WORM_FATSO.A, please visit http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FATSO.A
Trend Micro is a leader in network antivirus and Internet content security software and services. The Tokyo-based corporation has business units worldwide. Trend Micro products are sold through corporate, value-added resellers and managed service providers. For additional information and evaluation copies of all Trend Micro products, visit: www.trendmicro.com.

# # #

Trend Micro and the t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. All other company or product names may be trademarks or registered trademarks of their owners. Information is accurate time it was written and is subject to change without notice.

For more information please contact:

Trend Micro      
Mireille Boetje     
Tel: +31 (0)30 210 6333    
E-mail: Mireille_Boetje@trendmicro.co.uk  

Lammers van Toorenburg Benelux PR
Annegees van Linge
Tel: +31 (0)30 6565 070
E-mail: annegees@lvtpr.nl