[email protected]

Aliases: [email protected], W32/Elitper-E, Win32.Elitper.E, Win32/Unknown!P2P!Worm, Worm:Win32/Elitper.E
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 25 Mar 2005
Damage: Medium

Characteristics: [email protected] is a worm that usually comes and propagates in several MS Outlook and file-sharing networks. One of its unique abilities is that it removes files and processes as well as increases security outbreak by tweaking the compromised computer’s security settings. It is also called a memory resident worm which is very popular with mIRC and other peer-to-peer (P2P) applications such as BearShare, Grokster, Kazaa, Kazaa Lite, Kazaa Media Desktop, Morpheus, and Shareaza. It also modifies Hosts files.

More details about [email protected]

Antivirus and security labeled websites will be hampered and even prevented when this worm is already present in the computer. Registry keys are also being tweaked and this prevents them from doing certain tasks, such as running programs through the Run command, running Registry Editor and Running Task Manager. Other applications or programs may also become inoperable because it has the ability to disable certain action like closing Internet Explorer windows, file opening, saving, and printing functionalities of Internet Explorer and notifying for new Windows update components and firewall- and antivirus-related events. The worm also copies itself to folders using one of the following filenames: “All Nokia Phones Hacking + Hotkeys To Access To Networks.exe” and “All Nokia Phones Software Codes + Hotkeys To Access To Networks.exe.” Computer system may also tend to shut down automatically if the virus successfully deletes the service LSASS.EXE. Unlike any other virus or worms exploiting LSASS.exe service, this virus simply terminates this service in order to shut the system down. If the virus completely achieves its routine infection, the compromised computer’s system will then be named as surconfluge.

The [email protected] program is said to replicate itself to any compromised system through flaws and system vulnerabilities. Some of the effects of this threat on the computer and its users include stealing of some programs, deletion of system files, and immobilization of certain executables essential to the Operating System, shutting down of various security applications, and the possibility of the compromised computer to become unstable or even become unusable. According to some studies, [email protected] tends to originate from the peer-to-peer network programs. This program may be removed from the computer through the standard manual removal process.