Type: Adware

WORM_KELIHOS.NB has been used in connection to the Boston Marathon bombing that occurred recently. Less than a day after this terrible tragedy, criminals started to take advantage of the presence of this event on the news in order to distribute thousands of spam email messages containing links to various attack websites containing exploit kits such as the Black Hole Exploit Kit and the RedKit Exploit Kit. These malicious email messages contain subject lines relating to the Boston Marathon meant to tempt inexperienced computer users so that they will click on embedded links contained in the malicious email message. Usually, these email messages will claim to lead the victim to a YouTube video pertaining to the Boston Marathon bombing.

The Social Engineering Attack Used to Distribute WORM_KELIHOS.NB

Once the victim clicks on the embedded link, which will usually end with 'boston.html', 'news.html', or similar related terms, the email message leads to a website containing a supposed YouTube video. In most cases, simply clicking on the malicious link will result in a malware infection if the victim's computer contains vulnerabilities that can be abused by the exploit kits typically associated with this scam. Clicking on the link results in the download of a malicious executable file named boston.avi_____.exe, will lead to a malicious executable which is disguised – albeit, not very well – as a video file in AVI format.

Various Trojans and worms have been distributed using social engineering tactics relating to the Boston bombing. The IP addresses associated with these attacks are located in countries all around the world. However, the conclusion seems to be that these attacks originate in Eastern Europe, mainly in Ukraine and Latvia. WORM_KELIHOS.NB is designed to hide all files and folders on removable drives attached to the infected computer. WORM_KELIHOS.NB then replaces these directories with a malicious LNK file that uses an icon that makes it appear as another folder. Clicking on this supposed folder executes a malicious executable file, which can then infect the victim's computer with additional malware. WORM_KELIHOS.NB is used to steal passwords, specifically for FTP clients such as FileZilla and LeapFTP. WORM_KELIHOS.NB is also designed to steal email addresses from the infected computer that are then used to distribute further copies of WORM_KELIHOS.NB.

Technical Information

File System Details

WORM_KELIHOS.NB creates the following file(s):
# File Name Detection Count
1 boston.avi_____.exe N/A

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.