From; Sophos Alert System: Name: W32/Elitper-C Aliases: WORM_ELITPER.C Type: Win32 worm Date: 11 March 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the May 2005 (3.93) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers. Information about W32/Elitper-C can be found at: http://www.sophos.com/virusinfo/analyses/w32elitperc.html W32/Elitper-C is a worm for the Windows platform that targets common Peer to Peer (P2P) filesharing applications. Once executed W32/Elitper-C copies itself to the Windows folder with the filename TASKMANAGER.exe, to the Internet Explorer folder with the filenames Firewall.exe and WWE DIVAS.exe, and to the Windows Media Player folder with the filename wmlaunch .exe W32/Elitper-C also copies itself as XPStartUp to the /Documents and Settings/All Users/Start Menu/Programs/Startup folder. In order to be able to run automatically when Windows starts up W32/Elitper-C sets the registry entries: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ Firewall wmlaunch .exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ Protection Firewall.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ SysRes TASKMANAGER.exe W32/Elitper-C spreads by coping itself with the filename WWE Torrie And Sable Screan Saver.exe to the shared folders of the following P2P utilities: Edonkey2000 BearShare Grokster Morpheus KaZaA Lite Kazaa KMD W32/Elitper-C modifies an mIRC script.ini file so the worm will be send out on joining the service. Also W32/Elitper-C attempts to copy itself to the root folder of the C, D and E drives on the available network shares. W32/Elitper-C modifies the HOSTS file mapping to the loopback address 127.0.0.1 in an attempt to prevent access to the following websites: www.google.com www.download.com www.hdpvidz.com www.urbanchaosvideos.com www.alltheweb.com www.yahoo.com www.hotmail.com www.wwe.com www.altavista.com www.themetsource.com www.mysongbook.com www.guitar-pro.com www.about.com www.symantec.com www.mcafee.com www.trendmicro.com www.rohitab.com www.microsoft.com messenger.hotmail.com http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=hotmail www.msn.com http://services.msn.com/svcs/hotmail/httpmail.asp www.kazaa.com http://oe.msn.msnmail.hotmail.com/cgi-bin/hmdata www.vbcode.com www.roxio.com www.nero.com smackdown.wwe.com raw.wwe.com www.net2phone.com www.geocities.com www.emp3finder.com www.regedit.com W32/Elitper-C attempts to end a number of processes by issuing the following commands: TASKKILL /F /IM DAP.exe /IM VB6.exe /IM msgmsgr.exe /IM ccapp.exe /IM regedit.com /IM mdm.exe /IM iexplore.exe /IM smss.exe /IM dllhost.exe TASKKILL /F /IM SVCHOST.exe /T TASKKILL /F /IM LSASS.exe In an attempt to disable a number of applications, W32/Elitper-C sets the registry entries: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoRun "1" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoCloseKey "1" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoFind 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow Run\X appname where X is a number between 1 and 90 and appname is an application name from the following list: 1.exe aawsepersonal.exe ACDSee6.exe acrord32.exe ad-aware.exe application.exe apssm.exe avast.exe bind.exe browser.exe CCIMSCN.exe chktrust.exe clean_notepad.exe cmd.exe defrag.exe dialer.exe directcd.exe dllhost.exe dxdiag.exe egedit.exe elp.exe excel.exe file.exe findstr.exe install.exe isuninst.exe keygen.exe mirc.exe moviemk.exe mplayer.exe MSDEV.exe NAVSTUB.exe navui.nsi NAVW32.exe NAVWNT.exe NeroStartSmart.exe netstat.exe NMain.exe ntbackup.exe ntbackup.exe ordpad.exe otepad.exe p4.exe play.exe print.exe program.exe project1.exe remove.exe savscan.exe setup.exe shutdown.exe smsgs.exe sndrec32.exe SNDSrvc.exe sndvol32.exe snmsgr.exe svchost.exe svghost.exe uninst.exe uninstall.exe UNWISE.exe UPX-iT.exe vfp6.exe winhelp.exe winrar.exe winword.exe winzip.exe wmplayer.exe write.exe W32/Elitper-C also sets the following registry entries: HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\ NoFileOpen 1 HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\ NoPrinting 1 HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\ NoBrowserSaveAs 1 HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\ NoBrowserClose 1 HKLM\SOFTWARE\Microsoft\Security Center\ AntiVirusDisableNotify 1 HKLM\SOFTWARE\Microsoft\Security Center\ FirewallDisableNotify 1 HKLM\SOFTWARE\Microsoft\Security Center\ FirewallOverride 1 HKLM\SOFTWARE\Microsoft\Security Center\ AntiVirusOverride 1 HKLM\SOFTWARE\Microsoft\Security Center\ UpdatesDisableNotify 1 HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\ DomainProfile 0 HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\ EnableFirewall 0 HKLM\SYSTEM\CurrentControlSet\Services\ wscsvc 4 HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\ Disk hex(7):43,53,43,46,6c,61,67,73,3d,30,00,4d,61,78,55,73,65,73,3d,34,32, 39,34,39,36,37,32,39,35,00,50,61,74,68,3d,45,3a,5c,00,50,65,72,6d,69, 73,73,69,6f,6e,73,3d,36,33,00,54,79,70,65,3d,30,00 W32/Elitper-C modifies a number of registry entries inlcuding the following: HKCU\Software\Kazaa\LocalContent\ DisableSharing "0" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ RegisteredOwner "surconfluge" HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputer Name\ComputerName "surconfluge" HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\ ComputerName "surconfluge" As an infection mark W32/Elitper-C creates Virus Detected.txt in the root folder that contains the following message: Worm is detected on your computer (W32.surconfluge.A@mm), update your Virus Definition to protect your computer from the lastest viruses and worms. This IDE file also includes detection for: W32/Rbot-XL http://www.sophos.com/virusinfo/analyses/w32rbotxl.html Troj/Banker-JU http://www.sophos.com/virusinfo/analyses/trojbankerju.html W32/Rbot-XO http://www.sophos.com/virusinfo/analyses/w32rbotxo.html Troj/Winad-H http://www.sophos.com/virusinfo/analyses/trojwinadh.html Download the IDE file from: http://www.sophos.com/downloads/ide/elitperc.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member