Aliases: W32/Trilisa@MM, WORM_ORKIZ.A
Variants: W32.Trilisa-A, Win32.Trilisa

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 16 Apr 2002
Damage: Medium

Characteristics: The W32.Trilisa@mm application is a worm that delivers itself to every addresses in the address book of Microsoft Outlook. It changes the name of every files that are in the folder of Windows and that have the .scr or .exe file extension. This worm then replicates itself as the original name of the file. It also erases files that have detailed file extensions,as well as files Regedb32 and Regedit.

More details about W32.Trilisa@mm

Once the W32.Trlisa@mm was executed it replicates itself. It generates VBS (Basic Visual Script) files such as in the C:\Command.com.vbs an email will be sent to all of the contacts on the address book of the Microsoft Outlook. The email has a Subject containing ‘esto, jajaja, te vas a reir!!’, a Message containing ‘Jajajaja!!! Es la ostia!! Miralo!!’, with attachment of OperacionTriunfo.scr. In the :\X.vbs, there are messages that appears such as EN ESPAÑA - ABRIL 2002, I-Worm Elisabeth by Zirkov, RECUERDOS A TODAS MIS COMPAÑERAS DE MERYLAND CURSO 99-01, and HECHO EN ADMIRACION A GIGABYTE. In the :\Eurovision.vbs, the file tries to delete the files having .mid, .zip, .ace, .log, .rtf , .asm, .arj, .rm, .lhz, .pdf, .gbc, .txt, .asf, .wp, .mpeg, .mp3, and .mdb.

This program also deletes files with the following extension: .wav, .ppt, .xls, .rar, .gba, .jpg, .smc, .mov, .doc, .bmp, .mp2, . .mod, .avi, .mp, jpeg, .js, .gb, .mpg, and .gif. The W32.Trilisa@mm deletes the files that contain the regedb32 or regedit names. The worm also ranames all of the files that are in the folder of the Windows and those files having .scr and .exe extension. It will then replicates itself as the file having thew original name. The worm modifies the value of the key of the registry so in case the Windows will start the worm will run at the same time.