Some security vendors have issued alerts for W32.Elitper.A@mm, a mass-mailing worm that spreads using MAPI and through file-sharing networks. It also lowers Windows security settings by preventing access to antivirus-related Web sites.
The worm is written in Microsoft Visual Basic.
Technical details can be found at Symantec page.
According to Trend Micro, which also issued an alert, This worm may may arrive via the shared folders of popular peer-to-peer applications. It drops a copy of itself as the file Media Center Crack.exe in the default shared folders of several popular peer-to-peer applications.
This worm may also attempt to send a copy of itself through email to all contacts in the Microsoft Outlook address book of the infected system using the following details:
Subject:
Message body: Microsoft(c) Lastest Update For CD-ROM
Attachment: Firewall.exe
However, as of this writing, it fails to execute this mass-mailing routine.
This worm terminates processes and modifies the HOSTS file to prevent a user from accessing a list of Web sites. Moreover, it modifies the Windows registry to prevent the user from doing the following:
Running Task Manager
Running Registry Editor
Running programs through Start>Run
Prevent the infected machine from downloading updates from Microsoft
Its other created registry entries disallow the execution of some applications, and performs the following tasks:
Disable notifications for new Windows update components, and firewall-and antivirus-related events
Disable system restore in Windows ME, and XP
This worm attempts to add the following users into the infected system:
Don't-Delete
Protection
RePtiLe
Worm
It also sets the machine name of the infected system to RePtiLe.
Technical details can be found at this Trend Micro page.
2/28: Elitper-A Worm Uses MAPI
