WORM_KELIHOS.NB
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Ranking: | 8,846 |
Threat Level: | 20 % (Normal) |
Infected Computers: | 598 |
First Seen: | April 18, 2013 |
Last Seen: | September 9, 2023 |
OS(es) Affected: | Windows |
WORM_KELIHOS.NB has been used in connection to the Boston Marathon bombing that occurred recently. Less than a day after this terrible tragedy, criminals started to take advantage of the presence of this event on the news in order to distribute thousands of spam email messages containing links to various attack websites containing exploit kits such as the Black Hole Exploit Kit and the RedKit Exploit Kit. These malicious email messages contain subject lines relating to the Boston Marathon meant to tempt inexperienced computer users so that they will click on embedded links contained in the malicious email message. Usually, these email messages will claim to lead the victim to a YouTube video pertaining to the Boston Marathon bombing.
Table of Contents
The Social Engineering Attack Used to Distribute WORM_KELIHOS.NB
Once the victim clicks on the embedded link, which will usually end with 'boston.html', 'news.html', or similar related terms, the email message leads to a website containing a supposed YouTube video. In most cases, simply clicking on the malicious link will result in a malware infection if the victim's computer contains vulnerabilities that can be abused by the exploit kits typically associated with this scam. Clicking on the link results in the download of a malicious executable file named boston.avi_____.exe, will lead to a malicious executable which is disguised – albeit, not very well – as a video file in AVI format.
Various Trojans and worms have been distributed using social engineering tactics relating to the Boston bombing. The IP addresses associated with these attacks are located in countries all around the world. However, the conclusion seems to be that these attacks originate in Eastern Europe, mainly in Ukraine and Latvia. WORM_KELIHOS.NB is designed to hide all files and folders on removable drives attached to the infected computer. WORM_KELIHOS.NB then replaces these directories with a malicious LNK file that uses an icon that makes it appear as another folder. Clicking on this supposed folder executes a malicious executable file, which can then infect the victim's computer with additional malware. WORM_KELIHOS.NB is used to steal passwords, specifically for FTP clients such as FileZilla and LeapFTP. WORM_KELIHOS.NB is also designed to steal email addresses from the infected computer that are then used to distribute further copies of WORM_KELIHOS.NB.
File System Details
# | File Name |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
---|---|---|
1. | boston.avi_____.exe |
URLs
WORM_KELIHOS.NB may call the following URLs:
media-cloud.ru |