From; Sophos Alert System: Name: W32/Elitper-E Aliases: WORM_ELITPER.E Type: Win32 worm Date: 30 March 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the May 2005 (3.93) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers. Information about W32/Elitper-E can be found at: http://www.sophos.com/virusinfo/analyses/w32elitpere.html W32/Elitper-E is a worm for the Windows platform. When run, W32/Elitper-E copies itself to the following locations: \Documents and Settings\All Users\Start Menu\Programs\Startup\XPStartUp.exe \Documents and Settings\\Start Menu\Programs\Startup\XPStartUp.exe <Program Files>\Internet Explorer\IExplore .exe <Program Files>\Internet Explorer\Norton Internet Security.exe <Program Files>\SP2 UPDATE.exe <Program Files>\Windows Media Player\ LSASS .exe <Windows folder>\TASKMGR .exe The worm also copies itself into shared folders for common Peer to Peer applications using the filename "All Nokia Phones Hacking + HotKeys To Acess To Networks.exe" In order to run each time a user logs on, the worm creates the following registry entries: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Firewall "<Program Files>\SP2 UPDATE.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Run Protection "<Program Files>\Internet Explorer\Norton Internet Security.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysRes "<Program Files>\Internet Explorer\IExplore .exe" W32/Elitper-E disables various system utilities such as the Windows task manager (taskmgr.exe) and registry editing tools. The worm also attempts to delete several files which may cause the computer to become unstable and shut itself down. The worm harvests email addresses from Microsoft Outlook contacts and sends itself as an attachment to each address found. Email sent by W32/Elitper-E has the following properties: Subject line: Microsoft SP2 Update Message text: Microsoft SP2 Update Urgent Download It Attached file: a copy of the worm with an EXE file extension. W32/Elitper-E overwrites the HOSTS file (typically located in <Windows system folder>\drivers\etc) in an effort to prevent infected computers from accessing several websites. The following text is written to the HOSTS file: 127.0.0.1 www.google.com 127.0.0.1 Symantec.TrendMicro.Sophos 127.0.0.1 www.download.com 127.0.0.1 www.hdpvidz.com 127.0.0.1 www.urbanchaosvideos.com 127.0.0.1 www.alltheweb.com 127.0.0.1 www.yahoo.com 127.0.0.1 www.hotmail.com 127.0.0.1 www.wwe.com 127.0.0.1 www.altavista.com 127.0.0.1 www.themetsource.com 127.0.0.1 www.mysongbook.com 127.0.0.1 www.guitar-pro.com 127.0.0.1 www.about.com 127.0.0.1 www.symantec.com 127.0.0.1 www.mcafee.com 127.0.0.1 www.trendmicro.com 127.0.0.1 www.rohitab.com 127.0.0.1 www.microsoft.com 127.0.0.1 messenger.hotmail.com 127.0.0.1 http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=hotmail 127.0.0.1 www.msn.com 127.0.0.1 http://services.msn.com/svcs/hotmail/httpmail.asp 127.0.0.1 www.kazaa.com 127.0.0.1 http://oe.msn.msnmail.hotmail.com/cgi-bin/hmdata 127.0.0.1 www.vbcode.com 127.0.0.1 www.roxio.com 127.0.0.1 www.nero.com 127.0.0.1 www.net2phone.com 127.0.0.1 www.geocities.com 127.0.0.1 www.emp3finder.com 127.0.0.1 www.regedit.com The changes made to the system registry by W32/Elitper-E are: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoRun "1" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoCloseKey "1" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFind dword:00000001 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer DisallowRun "1" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 1 "notepad.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 2 "wordpad.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 3 "regedit.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 4 "msnmsgr.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 5 "msmsgs.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 6 "gp4.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 7 "help.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 8 "wmplayer.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 10 "excel.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 11 "winword.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 12 "winhelp.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 13 "wmplayer.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 14 "winrar.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 15 "winzip.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 16 "CLEAN_NOTEPAD.EXE" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 17 "ACDSee6.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 18 "acrord32.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 19 "ntbackup.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 20 "moviemk.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 21 "defrag.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 23 "netstat.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 25 "lupdate" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 26 "shutdown.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 27 "sndvol32.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 28 "sndrec32.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 30 "write.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 32 "dxdiag.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 33 "ntbackup.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 38 "dialer.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 39 "findstr.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 40 "dllhost.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 44 "print.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 45 "trendmicro.com" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 46 "UPX-iT.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 47 "NAVW32.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 48 "NAVWNT.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 49 "NAVSTUB.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 50 "navui.nsi" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 51 "CCIMSCN.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 52 "MSDEV.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 54 "chktrust.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 55 "apssm.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 56 "SNDSrvc.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 57 "NMain.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 58 "Ra2.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 59 "vfp6.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 60 "setup.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 61 "install.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 62 "savscan.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 67 "ad-aware.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 68 "remove.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 69 "uninstall.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 70 "NeroStartSmart.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 71 "uninst.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 72 "isuninst.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 75 "aawsepersonal.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 76 "avast.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 78 "keygen.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 80 "cmd.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 81 "project1.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 82 "1.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 83 "program.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 84 "application.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 85 "file.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 86 "browser.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 87 "UNWISE.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 88 "play.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 89 "directcd.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun 90 "bind.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr "1" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools dword:00000001 HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions NoFileOpen dword:00000001 HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions NoPrinting dword:00000001 HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions NoBrowserSaveAs dword:00000001 HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions NoBrowserClose dword:00000001 HKCU\Software\Shareaza\Shareaza\Uploads SharePreviews "1" HKCU\Software\Shareaza\Shareaza\Uploads SharePartials "1" HKCU\Software\Shareaza\Shareaza\Uploads ShareMetadata "1" HKLM\Software\Microsoft\Security Center AntiVirusDisableNotify dword:00000001 HKLM\Software\Microsoft\Security Center FirewallDisableNotify dword:00000001 HKLM\Software\Microsoft\Security Center FirewallOverride dword:00000001 HKLM\Software\Microsoft\Security Center AntiVirusOverride dword:00000001 HKLM\Software\Microsoft\Security Center UpdatesDisableNotify dword:00000001 HKLM\Software\Policies\Microsoft\WindowsFirewall DomainProfile dword:00000000 HKLM\Software\Policies\Microsoft\WindowsFirewall\StandardProfile EnableFirewall dword:00000000 HKLM\System\CurrentControlSet\Services wscsvc dword:00000004 HKCU\Software\Kazaa\LocalContent DisableSharing "0" HKLM\Software\Microsoft\Windows NT\CurrentVersion RegisteredOwner "surconfluge" HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ComputerName "surconfluge" HKLM\System\CurrentControlSet\Services\Eventlog ComputerName "surconfluge" The worm also modifies the startup script for the Internet relay chat (IRC) application mIRC. The modification causes "SP2 UPDATE.exe" (a copy of the worm) to be sent to each user that joins the current channel. This IDE file also includes detection for: W32/Rbot-ZE http://www.sophos.com/virusinfo/analyses/w32rbotze.html W32/Rbot-ZF http://www.sophos.com/virusinfo/analyses/w32rbotzf.html Troj/Zapchas-G http://www.sophos.com/virusinfo/analyses/trojzapchasg.html W32/Rbot-ZG http://www.sophos.com/virusinfo/analyses/w32rbotzg.html Troj/Dloader-KE http://www.sophos.com/virusinfo/analyses/trojdloaderke.html Troj/Rootkit-U http://www.sophos.com/virusinfo/analyses/trojrootkitu.html Troj/Psyme-BO http://www.sophos.com/virusinfo/analyses/trojpsymebo.html Troj/Domwis-AQ http://www.sophos.com/virusinfo/analyses/trojdomwisaq.html Download the IDE file from: http://www.sophos.com/downloads/ide/elitpere.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member