Eliles.A

Threat description

Details

CATEGORYMalware
TYPEEmail-Worm
PLATFORMSymbOS, VBS

Summary

Eliles.A is a Visual Basic Script worm. It also tries to affect mobile phones using a SIS file located on a web page. Due to the fact that this page is not available anymore this routine does not work.



Removal

Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Upon execution, the script performs the following actions:

Changes the local Administrator and Administrative User accounts' password to "Leslie".

Runs winrar and winzip and tries to create an archive copy of itself as C:\Windows\Fonts\C.Vitae.zip

Tries to kill and terminate several security applications:

  • apvxdwin.exe
  • AVENGINE.exe
  • bdnagent.exe
  • bdswitch.exe
  • mcagent.exe
  • mcdetect.exe
  • navapsvc.exe
  • navapw32.exe
  • navw32.exe
  • pavcl.com
  • PavFires.exe
  • savscan.exe

- and disables some administrative settings to make it harder to remove the malware.

The worm copies itself in the Windows %system% (C:\WINDOWS\system32\) folder as:

  • IExplore.vbe
  • msn.vbe
  • msnmsgr.vbe

Eliles.A creates a folder named C:\MSOCache and copies itself there.

It also drops copies of itself to the following hard coded locations as:

  • C:\windows\System\msnmsgr.vbe
  • C:\Windows\System32\Setup\Messsenger.vbs

It creates the following registry entry to execute itself during Windows restart:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSN Messenger = "C:\Windows\System32\Setup\Messenger.vbs"

It also drops the following links in the desktop (supporting English and Spanish Windows installations).

  • Internet Explorer.lnk (Icon set to fake Internet Explorer)
  • MSN Messenger.lnk (Icon set to fake MSN Messenger)

- which points and runs the malware when opened.

This worm propagates through network drives by creating a copy of itself as msn.vbe in each discovered network drive.

It also builds and sends e-mail messages using Outlook that appear as follows:

To: @vodafone.es cc: @movistar.es Subject: Msj Operador: Proteja su movil Body: Descarguese gratis el Antivirus para Nokias Series 60. (6630,6680,7610,7650,N70,N90), totalmente gratuito. http://f1.grp.y...Antivirus.SIS   

where randomnumber1 is 9 digit number starting with 617, 627, 634, 664, 666, 697 or 671 and randomnumber2 is another 9 digit number starting with 609, 619, 629, 630, 639, 646 or 649

Note: At the moment of writing this description, the link in the e-mail body is not available.

This Visual Basic Script worm further mass-mails itself as a zip archive attachment in another e-mail using an smtp server and port:

  • smtp.ono.com:25

It first assigns randomly selected numbers to different names from this list:

  • acutel
  • alerjosemoreno
  • aleroic
  • anaballabriga
  • animaciencia
  • antonioboronat
  • asindown
  • ceutideportes
  • ChiLiTa
  • cnbenicarlo
  • davidconejero
  • dni
  • Fernando.Ramos
  • izmacian
  • jadela
  • jllrives
  • Jm_Torres
  • juher
  • konsulatRPmurcia
  • lone.star
  • marcial
  • marinadef
  • mlgarciaarranz
  • p_canter
  • pedrotoledo
  • peterhall
  • ramirezmerino
  • rapidisa
  • raulmed
  • ullances
  • vicenterevenga

- and uses it to complete the "From" field of each e-mail.

E-mail addresses are then gathered in files found in the affected machine having the following extension names:

  • asp, aspx, cfm, ctt, dbx, DOCHTML, eml, hta, hta, htm, html, htt, htx, ini, map, MAPIMAIL, nfo, php, shtml, wab, xls

Below are detail of the e-mail that this worm sends:

From: name@ono.com To: email addresses found on the infected computer Subject: Adjunto Curriculum Vitae para posible vacante. Attachment: C:\Windows\Fonts\C.Vitae.zip  Body: Adjunto Currilum Vitae, por estar interesado en algún puesto vacante en su empresa, me encantaria que lo tuviera en cuenta, ya que estoy buscando trabajo por esa zona. Sin mús, reciba un cordial Saludo.  

Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info