W32/Elitper-D

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Elitper-D is a worm for the Windows platform.

When run, W32/Elitper-D copies itself to the following locations:

/Documents and Settings/All Users/Start Menu/Programs/Startup/XPStartUp.exe
<Program Files>/Internet Explorer/IExplore .exe
<Program Files>/Internet Explorer/WWE DIVAS.exe
<Program Files>/SP2 Bug Remove.exe
<Program Files>/Windows Media Player/wmlaunch .exe
<Windows folder>/TASKMGR .exe

In order to run each time a user logs on, the worm creates the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Firewall
<Program Files>\Windows Media Player\wmlaunch .exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Protection
<Program Files>\Internet Explorer\IExplore .exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SysRes
<Program Files>\Internet Explorer\WWE DIVAS.exe

W32/Elitper-D disables various system utilities such as the Windows task manager (taskmgr.exe) and registry editing tools. The worm also attempts to delete several files which may cause the computer to become unstable and shut itself down.

The worm harvests email addresses from Microsoft Outlook contacts and sends itself as an attachment to each address found. Email sent by W32/Elitper-D has the following properties:

Subject line:
Fwd:Attention

Message text:
Download This Update For Removing SP2 Bug

Attached file:
SP2 Bug Remove.exe

The worm may also copy itself into shared folders for common Peer to Peer (P2P) filesharing applications. The worm uses the following filenames:

WWE Torrie And Sable Screan Saver.exe
Playboy Screen Saver.exe

W32/Elitper-D overwrites the HOSTS file (typically located in <Windows system folder>\drivers\etc) in an effort to prevent infected computers from accessing several websites. The following text is written to the HOSTS file:

127.0.0.1 http://oe.msn.msnmail.hotmail.com/cgi-bin/hmdata
127.0.0.1 http://services.msn.com/svcs/hotmail/httpmail.asp
127.0.0.1 http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=hotmail
127.0.0.1 messenger.hotmail.com
127.0.0.1 www.about.com
127.0.0.1 www.alltheweb.com
127.0.0.1 www.altavista.com
127.0.0.1 www.download.com
127.0.0.1 www.emp3finder.com
127.0.0.1 www.geocities.com
127.0.0.1 www.google.com
127.0.0.1 www.guitar-pro.com
127.0.0.1 www.hdpvidz.com
127.0.0.1 www.hotmail.com
127.0.0.1 www.kazaa.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.msn.com
127.0.0.1 www.mysongbook.com
127.0.0.1 www.nero.com
127.0.0.1 www.net2phone.com
127.0.0.1 www.regedit.com
127.0.0.1 www.rohitab.com
127.0.0.1 www.roxio.com
127.0.0.1 www.symantec.com
127.0.0.1 www.themetsource.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.urbanchaosvideos.com
127.0.0.1 www.vbcode.com
127.0.0.1 www.wwe.com
127.0.0.1 www.yahoo.com

The changes made to the system registry by W32/Elitper-D are:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Systemrestore
DisableSR
dword:00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
dword:00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DisallowRun
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
1
notepad.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
2
wordpad.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
3
regedit.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
4
msnmsgr.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
5
msmsgs.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
6
gp4.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
7
help.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
8
wmplayer.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
10
excel.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
11
winword.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
12
winhelp.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
13
wmplayer.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
14
winrar.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
15
winzip.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
16
CLEAN_NOTEPAD.EXE

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
17
ACDSee6.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
18
acrord32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
19
ntbackup.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
20
moviemk.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
21
defrag.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
23
netstat.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
25
lupdate

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
26
shutdown.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
27
sndvol32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
28
sndrec32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
30
write.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
32
dxdiag.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
33
ntbackup.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
38
dialer.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
39
findstr.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
40
dllhost.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
44
print.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
45
trendmicro.com

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
46
UPX-iT.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
47
NAVW32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
48
NAVWNT.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
49
NAVSTUB.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
50
navui.nsi

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
51
CCIMSCN.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
52
MSDEV.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
54
chktrust.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
55
apssm.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
56
SNDSrvc.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
57
NMain.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
58
Ra2.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
59
vfp6.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
60
setup.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
61
install.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
62
savscan.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
67
ad-aware.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
68
remove.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
69
uninstall.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
70
NeroStartSmart.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
71
uninst.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
72
isuninst.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
75
aawsepersonal.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
76
avast.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
78
keygen.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
80
cmd.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
81
project1.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
82
1.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
83
program.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
84
application.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
85
file.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
86
browser.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
87
UNWISE.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
88
play.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
89
directcd.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
90
bind.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
dword:00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
dword:00000001

HKCU\Software\Microsoft\security center
FirewallDisableNotify
dword:00000001

HKCU\Software\Microsoft\security center
UpdatesDisableNotify
dword:00000001

HKCU\Software\Microsoft\security center
AntiVirusDisableNotify
dword:00000001

HKCU\Software\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
dword:00000001

HKCU\Software\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
dword:00000001

HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
dword:00000001

HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
dword:00000001

HKLM\Software\Microsoft\security center
FirewallDisableNotify
dword:00000001

HKLM\Software\Microsoft\security center
UpdatesDisableNotify
dword:00000001

HKLM\Software\Microsoft\security center
AntiVirusDisableNotify
dword:00000001

HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
dword:00000001

HKLM\Software\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
dword:00000001

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
dword:00000001

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
dword:00000001

HKLM\System\CurrentControlSet\Services\lanmanserver\Shares
Disk
<encoded data>

HKCU\Software\Kazaa\LocalContent
DisableSharing
0

HKCR\TypeLib\{00062FFF-0000-0000-C000-000000000046}\8.0
(default)
Microsoft Outlook 8.0 Object Library

HKLM\Software\Microsoft\Windows NT\CurrentVersion
RegisteredOwner
surconfluge

HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName
ComputerName
surconfluge

HKLM\SYSTEM\CurrentControlSet\Services\Eventlog
ComputerName
surconfluge

W32/Elitper-D shares drives C,D and E through the network.

The worm also modifies the startup script for the Internet relay chat (IRC) application mIRC. The modification causes "WWE DIVAS.exe" (a copy of the worm) to be sent to each user that joins the current channel.

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy