W32/Elitper-E

Aliases	WORM_ELITPER.E
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email attachments Network shares Chat programs Peer-to-peer
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	30 March 2005 08:23:12 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Elitper-E is a worm for the Windows platform.

W32/Elitper-E disables various system utilities such as the Windows task manager (taskmgr.exe) and registry editing tools. The worm also attempts to delete several files which may cause the computer to become unstable and shut itself down.

The worm harvests email addresses from Microsoft Outlook contacts and sends itself as an attachment to each address found. W32/Elitper-E is a worm for the Windows platform.

When run, W32/Elitper-E copies itself to the following locations:

\Documents and Settings\All Users\Start Menu\Programs\Startup\XPStartUp.exe
\Documents and Settings\\Start Menu\Programs\Startup\XPStartUp.exe
<Program Files>\Internet Explorer\IExplore .exe
<Program Files>\Internet Explorer\Norton Internet Security.exe
<Program Files>\SP2 UPDATE.exe
<Program Files>\Windows Media Player\ LSASS .exe
<Windows folder>\TASKMGR .exe

The worm also copies itself into shared folders for common Peer to Peer applications using the filename "All Nokia Phones Hacking + HotKeys To Acess To Networks.exe"

In order to run each time a user logs on, the worm creates the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Firewall
"<Program Files>\SP2 UPDATE.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Protection
"<Program Files>\Internet Explorer\Norton Internet Security.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SysRes
"<Program Files>\Internet Explorer\IExplore .exe"

The worm harvests email addresses from Microsoft Outlook contacts and sends itself as an attachment to each address found. Email sent by W32/Elitper-E has the following properties:

Subject line:
Microsoft SP2 Update

Message text:
Microsoft SP2 Update Urgent Download It

Attached file:
a copy of the worm with an EXE file extension.

W32/Elitper-E overwrites the HOSTS file (typically located in <Windows system folder>\drivers\etc) in an effort to prevent infected computers from accessing several websites. The following text is written to the HOSTS file:

127.0.0.1 www.google.com
127.0.0.1 Symantec.TrendMicro.Sophos
127.0.0.1 www.download.com
127.0.0.1 www.hdpvidz.com
127.0.0.1 www.urbanchaosvideos.com
127.0.0.1 www.alltheweb.com
127.0.0.1 www.yahoo.com
127.0.0.1 www.hotmail.com
127.0.0.1 www.wwe.com
127.0.0.1 www.altavista.com
127.0.0.1 www.themetsource.com
127.0.0.1 www.mysongbook.com
127.0.0.1 www.guitar-pro.com
127.0.0.1 www.about.com
127.0.0.1 www.symantec.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.rohitab.com
127.0.0.1 www.microsoft.com
127.0.0.1 messenger.hotmail.com
127.0.0.1 http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=hotmail
127.0.0.1 www.msn.com
127.0.0.1 http://services.msn.com/svcs/hotmail/httpmail.asp
127.0.0.1 www.kazaa.com
127.0.0.1 http://oe.msn.msnmail.hotmail.com/cgi-bin/hmdata
127.0.0.1 www.vbcode.com
127.0.0.1 www.roxio.com
127.0.0.1 www.nero.com
127.0.0.1 www.net2phone.com
127.0.0.1 www.geocities.com
127.0.0.1 www.emp3finder.com
127.0.0.1 www.regedit.com

The changes made to the system registry by W32/Elitper-E are:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
"1"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoCloseKey
"1"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
dword:00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DisallowRun
"1"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
1
"notepad.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
2
"wordpad.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
3
"regedit.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
4
"msnmsgr.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
5
"msmsgs.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
6
"gp4.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
7
"help.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
8
"wmplayer.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
10
"excel.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
11
"winword.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
12
"winhelp.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
13
"wmplayer.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
14
"winrar.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
15
"winzip.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
16
"CLEAN_NOTEPAD.EXE"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
17
"ACDSee6.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
18
"acrord32.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
19
"ntbackup.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
20
"moviemk.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
21
"defrag.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
23
"netstat.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
25
"lupdate"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
26
"shutdown.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
27
"sndvol32.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
28
"sndrec32.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
30
"write.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
32
"dxdiag.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
33
"ntbackup.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
38
"dialer.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
39
"findstr.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
40
"dllhost.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
44
"print.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
45
"trendmicro.com"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
46
"UPX-iT.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
47
"NAVW32.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
48
"NAVWNT.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
49
"NAVSTUB.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
50
"navui.nsi"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
51
"CCIMSCN.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
52
"MSDEV.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
54
"chktrust.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
55
"apssm.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
56
"SNDSrvc.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
57
"NMain.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
58
"Ra2.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
59
"vfp6.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
60
"setup.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
61
"install.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
62
"savscan.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
67
"ad-aware.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
68
"remove.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
69
"uninstall.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
70
"NeroStartSmart.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
71
"uninst.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
72
"isuninst.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
75
"aawsepersonal.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
76
"avast.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
78
"keygen.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
80
"cmd.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
81
"project1.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
82
"1.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
83
"program.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
84
"application.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
85
"file.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
86
"browser.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
87
"UNWISE.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
88
"play.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
89
"directcd.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
90
"bind.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
"1"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
dword:00000001

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
NoFileOpen
dword:00000001

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
NoPrinting
dword:00000001

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
NoBrowserSaveAs
dword:00000001

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
NoBrowserClose
dword:00000001

HKCU\Software\Shareaza\Shareaza\Uploads
SharePreviews
"1"

HKCU\Software\Shareaza\Shareaza\Uploads
SharePartials
"1"

HKCU\Software\Shareaza\Shareaza\Uploads
ShareMetadata
"1"

HKLM\Software\Microsoft\Security Center
AntiVirusDisableNotify
dword:00000001

HKLM\Software\Microsoft\Security Center
FirewallDisableNotify
dword:00000001

HKLM\Software\Microsoft\Security Center
FirewallOverride
dword:00000001

HKLM\Software\Microsoft\Security Center
AntiVirusOverride
dword:00000001

HKLM\Software\Microsoft\Security Center
UpdatesDisableNotify
dword:00000001

HKLM\Software\Policies\Microsoft\WindowsFirewall
DomainProfile
dword:00000000

HKLM\Software\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
dword:00000000

HKLM\System\CurrentControlSet\Services
wscsvc
dword:00000004

HKCU\Software\Kazaa\LocalContent
DisableSharing
"0"

HKLM\Software\Microsoft\Windows NT\CurrentVersion
RegisteredOwner
"surconfluge"

HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName
ComputerName
"surconfluge"

HKLM\System\CurrentControlSet\Services\Eventlog
ComputerName
"surconfluge"

The worm also modifies the startup script for the Internet relay chat (IRC) application mIRC. The modification causes "SP2 UPDATE.exe" (a copy of the worm) to be sent to each user that joins the current channel.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Elitper-E

Summary

Action

More Information