[virusinfo] W32/Elitper-E

From: "Mike" <mikebike@xxxxxxxxx>
To: virusinfo@xxxxxxxxxxxxx
Date: Wed, 30 Mar 2005 09:47:55 -0800
From; Sophos Alert System:

Name: W32/Elitper-E
Aliases: WORM_ELITPER.E
Type: Win32 worm
Date: 30 March 2005

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the May 2005 (3.93) release of Sophos Anti-Virus.

Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.

At the time of writing, Sophos has received no reports from
users affected by this worm. However, we have issued this
advisory following enquiries to our support department from
customers.


Information about W32/Elitper-E can be found at:
http://www.sophos.com/virusinfo/analyses/w32elitpere.html

W32/Elitper-E is a worm for the Windows platform. 
When run, W32/Elitper-E copies itself to the following locations: 
\Documents and Settings\All Users\Start Menu\Programs\Startup\XPStartUp.exe
\Documents and Settings\\Start Menu\Programs\Startup\XPStartUp.exe
<Program Files>\Internet Explorer\IExplore .exe
<Program Files>\Internet Explorer\Norton Internet Security.exe
<Program Files>\SP2 UPDATE.exe
<Program Files>\Windows Media Player\ LSASS .exe
<Windows folder>\TASKMGR .exe 
The worm also copies itself into shared folders for common Peer to Peer 
applications using the filename "All Nokia Phones Hacking + HotKeys To Acess To 
Networks.exe" 
In order to run each time a user logs on, the worm creates the following 
registry entries: 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Firewall
"<Program Files>\SP2 UPDATE.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Protection
"<Program Files>\Internet Explorer\Norton Internet Security.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SysRes
"<Program Files>\Internet Explorer\IExplore .exe" 
W32/Elitper-E disables various system utilities such as the Windows task 
manager (taskmgr.exe) and registry editing tools. The worm also attempts to 
delete several files which may cause the computer to become unstable and shut 
itself down. 
The worm harvests email addresses from Microsoft Outlook contacts and sends 
itself as an attachment to each address found. Email sent by W32/Elitper-E has 
the following properties: 
Subject line:
Microsoft SP2 Update 
Message text:
Microsoft SP2 Update Urgent Download It 
Attached file:
a copy of the worm with an EXE file extension. 
W32/Elitper-E overwrites the HOSTS file (typically located in <Windows system 
folder>\drivers\etc) in an effort to prevent infected computers from accessing 
several websites. The following text is written to the HOSTS file: 
127.0.0.1 www.google.com
127.0.0.1 Symantec.TrendMicro.Sophos
127.0.0.1 www.download.com
127.0.0.1 www.hdpvidz.com
127.0.0.1 www.urbanchaosvideos.com
127.0.0.1 www.alltheweb.com
127.0.0.1 www.yahoo.com
127.0.0.1 www.hotmail.com
127.0.0.1 www.wwe.com
127.0.0.1 www.altavista.com
127.0.0.1 www.themetsource.com
127.0.0.1 www.mysongbook.com
127.0.0.1 www.guitar-pro.com
127.0.0.1 www.about.com
127.0.0.1 www.symantec.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.rohitab.com
127.0.0.1 www.microsoft.com
127.0.0.1 messenger.hotmail.com
127.0.0.1 http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=hotmail
127.0.0.1 www.msn.com
127.0.0.1 http://services.msn.com/svcs/hotmail/httpmail.asp
127.0.0.1 www.kazaa.com
127.0.0.1 http://oe.msn.msnmail.hotmail.com/cgi-bin/hmdata
127.0.0.1 www.vbcode.com
127.0.0.1 www.roxio.com
127.0.0.1 www.nero.com
127.0.0.1 www.net2phone.com
127.0.0.1 www.geocities.com
127.0.0.1 www.emp3finder.com
127.0.0.1 www.regedit.com 
The changes made to the system registry by W32/Elitper-E are: 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
"1" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoCloseKey
"1" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
dword:00000001 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DisallowRun
"1" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
1
"notepad.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
2
"wordpad.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
3
"regedit.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
4
"msnmsgr.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
5
"msmsgs.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
6
"gp4.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
7
"help.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
8
"wmplayer.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
10
"excel.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
11
"winword.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
12
"winhelp.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
13
"wmplayer.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
14
"winrar.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
15
"winzip.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
16
"CLEAN_NOTEPAD.EXE" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
17
"ACDSee6.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
18
"acrord32.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
19
"ntbackup.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
20
"moviemk.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
21
"defrag.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
23
"netstat.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
25
"lupdate" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
26
"shutdown.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
27
"sndvol32.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
28
"sndrec32.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
30
"write.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
32
"dxdiag.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
33
"ntbackup.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
38
"dialer.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
39
"findstr.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
40
"dllhost.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
44
"print.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
45
"trendmicro.com" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
46
"UPX-iT.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
47
"NAVW32.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
48
"NAVWNT.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
49
"NAVSTUB.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
50
"navui.nsi" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
51
"CCIMSCN.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
52
"MSDEV.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
54
"chktrust.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
55
"apssm.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
56
"SNDSrvc.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
57
"NMain.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
58
"Ra2.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
59
"vfp6.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
60
"setup.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
61
"install.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
62
"savscan.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
67
"ad-aware.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
68
"remove.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
69
"uninstall.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
70
"NeroStartSmart.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
71
"uninst.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
72
"isuninst.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
75
"aawsepersonal.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
76
"avast.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
78
"keygen.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
80
"cmd.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
81
"project1.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
82
"1.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
83
"program.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
84
"application.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
85
"file.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
86
"browser.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
87
"UNWISE.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
88
"play.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
89
"directcd.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
90
"bind.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
"1" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
dword:00000001 
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
NoFileOpen
dword:00000001 
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
NoPrinting
dword:00000001 
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
NoBrowserSaveAs
dword:00000001 
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
NoBrowserClose
dword:00000001 
HKCU\Software\Shareaza\Shareaza\Uploads
SharePreviews
"1" 
HKCU\Software\Shareaza\Shareaza\Uploads
SharePartials
"1" 
HKCU\Software\Shareaza\Shareaza\Uploads
ShareMetadata
"1" 
HKLM\Software\Microsoft\Security Center
AntiVirusDisableNotify
dword:00000001 
HKLM\Software\Microsoft\Security Center
FirewallDisableNotify
dword:00000001 
HKLM\Software\Microsoft\Security Center
FirewallOverride
dword:00000001 
HKLM\Software\Microsoft\Security Center
AntiVirusOverride
dword:00000001 
HKLM\Software\Microsoft\Security Center
UpdatesDisableNotify
dword:00000001 
HKLM\Software\Policies\Microsoft\WindowsFirewall
DomainProfile
dword:00000000 
HKLM\Software\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
dword:00000000 
HKLM\System\CurrentControlSet\Services
wscsvc
dword:00000004 
HKCU\Software\Kazaa\LocalContent
DisableSharing
"0" 
HKLM\Software\Microsoft\Windows NT\CurrentVersion
RegisteredOwner
"surconfluge" 
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName
ComputerName
"surconfluge" 
HKLM\System\CurrentControlSet\Services\Eventlog
ComputerName
"surconfluge" 
The worm also modifies the startup script for the Internet relay chat (IRC) 
application mIRC. The modification causes "SP2 UPDATE.exe" (a copy of the worm) 
to be sent to each user that joins the current channel. 

This IDE file also includes detection for:

W32/Rbot-ZE
http://www.sophos.com/virusinfo/analyses/w32rbotze.html
W32/Rbot-ZF
http://www.sophos.com/virusinfo/analyses/w32rbotzf.html
Troj/Zapchas-G
http://www.sophos.com/virusinfo/analyses/trojzapchasg.html
W32/Rbot-ZG
http://www.sophos.com/virusinfo/analyses/w32rbotzg.html
Troj/Dloader-KE
http://www.sophos.com/virusinfo/analyses/trojdloaderke.html
Troj/Rootkit-U
http://www.sophos.com/virusinfo/analyses/trojrootkitu.html
Troj/Psyme-BO
http://www.sophos.com/virusinfo/analyses/trojpsymebo.html
Troj/Domwis-AQ
http://www.sophos.com/virusinfo/analyses/trojdomwisaq.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/elitpere.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member
[virusinfo] W32/Elitper-E

Other related posts:
