Eliles.A is a Visual Basic Script worm. It also tries to affect mobile phones using a SIS file located on a web page. Due to the fact that this page is not available anymore this routine does not work.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
Upon execution, the script performs the following actions:
Changes the local Administrator and Administrative User accounts' password to "Leslie".
Runs winrar and winzip and tries to create an archive copy of itself as C:\Windows\Fonts\C.Vitae.zip
Tries to kill and terminate several security applications:
- and disables some administrative settings to make it harder to remove the malware.
The worm copies itself in the Windows %system% (C:\WINDOWS\system32\) folder as:
Eliles.A creates a folder named C:\MSOCache and copies itself there.
It also drops copies of itself to the following hard coded locations as:
It creates the following registry entry to execute itself during Windows restart:
It also drops the following links in the desktop (supporting English and Spanish Windows installations).
- which points and runs the malware when opened.
This worm propagates through network drives by creating a copy of itself as msn.vbe in each discovered network drive.
It also builds and sends email messages using Outlook that appear as follows:
To: @vodafone.es cc: @movistar.es Subject: Msj Operador: Proteja su movil Body: Descarguese gratis el Antivirus para Nokias Series 60. (6630,6680,7610,7650,N70,N90), totalmente gratuito. http://f1.grp.y...Antivirus.SIS
where randomnumber1 is 9 digit number starting with 617, 627, 634, 664, 666, 697 or 671 and randomnumber2 is another 9 digit number starting with 609, 619, 629, 630, 639, 646 or 649
Note: At the moment of writing this description, the link in the email body is not available.
This Visual Basic Script worm further mass-mails itself as a zip archive attachment in another email using an smtp server and port:
It first assigns randomly selected numbers to different names from this list:
- and uses it to complete the "From" field of each email.
email addresses are then gathered in files found in the affected machine having the following extension names:
Below are detail of the email that this worm sends:
From: firstname.lastname@example.org To: email addresses found on the infected computer Subject: Adjunto Curriculum Vitae para posible vacante. Attachment: C:\Windows\Fonts\C.Vitae.zip Body: Adjunto Currilum Vitae, por estar interesado en algún puesto vacante en su empresa, me encantaria que lo tuviera en cuenta, ya que estoy buscando trabajo por esa zona. Sin mús, reciba un cordial Saludo.