[email protected]

Aliases: Worm:Win32/Eliles.A, [email protected], Email-Worm.Win32.Heck.a, W32/Eliles.A
Variants: TR/ElPerfecto, W32/Eliles-B, WORM_ELILES.B

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, Europe, North and South America
Removal: Easy
Platform: W32
Discovered: 16 Apr 2007
Damage: Low

Characteristics: The [email protected] belongs a mass mailing class of Worms which have the inherent capability of spreading its codes using email messages. In most cases it makes use of compressed files as attachment to its email message. This particular malware has the capability of lowering the security settings of the infected system by terminating the firewall and antivirus protection of the machine. This can be used by an attacker to expose the machine to more threats.

More details about [email protected]

When launched in a vulnerable computer system, this malware will proceed to extract multiple files into the directory folder of the operating system. The [email protected] will create various executable, command, text, and icon files needed to deliver its payload. Some of the files will serve as a container for the malware while others act as the script file that activates its mailing functionality. The [email protected] has also been identified to place a variant of the SymbOS.Commwarrior into the infected computer system. This threat will target some critical tools of the operating system and infect them by appending an additional six bytes of data at the end of the file. The [email protected] modifies the Windows Registry to be able to automatically load on system boot up.

The modification and lowering of the security settings of the infected computer system is also done by the [email protected] from the Windows Registry. This is primarily because it will be harder to trace and undo. The will also take not of the computer user's activities by logging the actions into the ICO format file. Email addresses will be harvested by the [email protected] from a number of different files found in the compromised machine. These contacts will be targeted by the [email protected] which will use its own Simple Mail Transfer Protocol engine to infect remote computer systems.