You're in: Panda Security > IT Security for Business > security-info > about-malware > encyclopedia > overview

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Eliles.A
Threat LevelDamageDistribution

Effects

Eliles.A carries out the following actions:

Eliles.A creates the following files:

MESSENGER.VBS in the subfolder SETUP of the Windows system directory. This file is a copy of the worm.
C.VITAE.ZIP in the subfolder FONTS of the Windows directory. This file is also a copy of the worm, but compressed in ZIP format.
MSDBGSRV.DLL in the Windows directory, which contains the email addresses that Eliles.A finds in the affected computer.
IEXPLORE.VBE, MSN.VBE and MSNMSGR.VBE in the Windows system directory.
MSNMSGR.VBE in the subfolder SYSTEM of the Windows directory.
C.VITAE.VBE in the subfolder MSOCACHE of the C: drive.

Eliles.A creates the following entries in the Windows Registry:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
MSN Messenger = %sysdir%\Setup\Messenger.vbs
where %sysdir% is the Windows system directory.
By creating this entry, Eliles.A ensures that it is run whenever Windows is started.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoDrives
This way, Eliles.A hides the drives in My PC and the Windows Explorer.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoRun
By creating this entry, Eliles.A hides the option Run of the Start menu.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System DisableRegistryTools
This way, Eliles.A disables the access to the Windows Registry.

Eliles.A spreads via email to other computers and via SMS or text message to mobile phones.

1. Propagation via email.

It follows the routine below:

It reaches the computer in an email message written in Spanish.
Sender: it spoofs the email address from which it is sent. This address consists of a name taken from the following list and @ono.com:
acutel, alerjosemoreno, aleroic, anaballabriga, animaciencia, antonioboronat, asindown, ceutideportes, ChiLiTa, cnbenicarlo, davidconejero, dni, Fernando.Ramos, izmacian, jadela, jllrives, Jm_Torres, juher, konsulatRPmurcia, lone.star, marcial, marinadef, mlgarciaarranz, p_canter, pedrotoledo, peterhall, ramirezmerino, rapidisa, raulmed, ullances, vicenterevenga.
Subject:
Adjunto Curriculum Vitae para posible vacante
Message:
Adjunto Currilum Vitae, por estar interesado en algún puesto vacante en su empresa,me encantaria que lo tuviera en cuenta, ya que estoy buscando trabajo por esa zona. Sin más, reciba un cordial Saludo.
Attached file:
C.VITAE.ZIP
The computer is affected when the file included in the ZIP file is run.
Eliles.A searches for email addresses in files with the following extensions: ASP, CTT, DOC, EML, GFM, HTA, HTML, HTT, INI, MAP, MAPIMAIL, NFO, PHP, SHTML, WAB and XLS.
Eliles.A sends itself out to the addresses it has gathered.

2. Propagation via SMS to mobile phones:

It follows the routine below:

It reaches the mobile phone in an SMS with the following characteristics:
Sender: the email address of the affected user.
Recipient: it consists of the recipient's telephone number and one of the following domains:
@movistar.es
@vodafone.es
Subject:
Msj Operador: Proteja su movil
Message:
Descarguese gratis el Antivirus para Nokias Series 60.
(6630,6680,7610,7650,N70,N90), totalmente gratuito. http://f1.grp.ya<blocked>r8GMzmLAO7taS5yJIVcWx2F_6NWlo_LBonXVhAfgMBbxzzC4LoS8XSwl_-YO7ZMH01Sw/Antivirus.sis
If the link included in the message is followed and the SIS file is downloaded and installed, the mobile phone will be affected by Eliles.A.

Eliles.A is written in the programming language Visual Basic Script. This worm is 45,835 bytes in size.

Resources for Partners