The Web    Google
2/28: Elitper-A Worm Uses MAPI

2/28: Elitper-A Worm Uses MAPI
February 28, 2005

Some security vendors have issued alerts for W32.Elitper.A@mm, a mass-mailing worm that spreads using MAPI and through file-sharing networks. It also lowers Windows security settings by preventing access to antivirus-related Web sites.

The worm is written in Microsoft Visual Basic.

Technical details can be found at Symantec page.

According to Trend Micro, which also issued an alert, This worm may may arrive via the shared folders of popular peer-to-peer applications. It drops a copy of itself as the file Media Center Crack.exe in the default shared folders of several popular peer-to-peer applications.

This worm may also attempt to send a copy of itself through email to all contacts in the Microsoft Outlook address book of the infected system using the following details:

Message body: Microsoft(c) Lastest Update For CD-ROM
Attachment: Firewall.exe

However, as of this writing, it fails to execute this mass-mailing routine.

This worm terminates processes and modifies the HOSTS file to prevent a user from accessing a list of Web sites. Moreover, it modifies the Windows registry to prevent the user from doing the following:

  • Running Task Manager
  • Running Registry Editor
  • Running programs through Start>Run
  • Prevent the infected machine from downloading updates from Microsoft

    Its other created registry entries disallow the execution of some applications, and performs the following tasks:

  • Disable notifications for new Windows update components, and firewall-and antivirus-related events
  • Disable system restore in Windows ME, and XP

    This worm attempts to add the following users into the infected system:

  • Don't-Delete
  • Protection
  • RePtiLe
  • Worm

    It also sets the machine name of the infected system to RePtiLe.

    Technical details can be found at this Trend Micro page.

  • KaVaDo Updates Application Security Software
  • 9/7: MyWife-C a Mass-Mailing Worm
  • 9/8: Downloader-PG Brings in Trojan
  • VeriSign Strengthens Secured Seal
  • 4/6: Mydoom-AJ Worm Uses Email
  • A New Breed of Phish
  • Robbing the (Data) Bank
  • Security Experts On Alert for Large-Scale Hacker Assault
  • NetIQ offers up central security console
  • 11/23: BackDoor-CLK Trojan Copies Itself
  • 6/9: Downloader.GK a 'High Threat'
  • Compare Security Camera Products