VBS/Ilsela [Threat Name] go to Threat

VBS/Ilsela.A [Threat Variant Name]

Category worm
Detection created Sep 16, 2006
Detection database version 1759
Aliases VBS/Alien.gen@MM (McAfee)
  VBS.SSIWG.gen@mm (Symantec)
Short description

VBS/Ilsela.A is a worm that spreads via e-mail and shared folders. It is written in VBScript .

Installation

When executed, the worm creates the following folder:

  • C:\­MSOCache

The worm copies itself there using the following name:

  • msn.vbe

The contents of the folder are then compressed using WinRAR or WinZIP .


The following file is produced:

  • c:\­Windows\­Fonts\­C.Vitae.zip

The worm copies itself to the following locations:

  • %system%\­msn.vbe
  • %windir%\­system\­msnmsgr.vbe
  • %windir%\­system32\­IEXPLORE.vbe
  • C:\­windows\­System\­msnmsgr.vbe
  • C:\­windows\­System32\­IEXPLORE.vbe
  • C:\­Windows\­System32\­Setup\­Messenger.vbs

The worm creates the following files:

  • C:\­Documents and Settings\­All Users\­Desktop\­Internet Explorer.lnk
  • C:\­Documents and Settings\­All Users\­Desktop\­MSN Messenger.lnk
  • C:\­Documents and Settings\­All Users\­Escritorio\­Internet Explorer.lnk
  • C:\­Documents and Settings\­All Users\­Escritorio\­MSN Messenger.lnk

These are shortcuts to files of the worm .


In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MSN Messenger" = "C:\­Windows\­System32\­Setup\­Messenger.vbs"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows Scripting Host\­Settings]
    • "Timeout" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "NoAdminPage" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­WinOldApp]
    • "Disabled" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoDrives" = 67108863
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableRegistryTools" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoRun" = 1
Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

  • asp
  • aspx
  • cfm
  • ctt
  • dbx
  • eml
  • hta
  • htm
  • html
  • htt
  • htx
  • ini
  • nfo
  • php
  • shtml
  • wab
  • xls

Text of the e-mail sent is in (ESP) .


Subject of the message is the following:

  • Adjunto Curriculum Vitae para posible vacante.

Body of the message is the following:

  • Adjunto Currilum Vitae, por estar interesado en algún puesto vacante en su empresa,me encantaria que lo tuviera en cuenta, ya que estoy buscando trabajo por esa zona. Sin más, reciba un cordial Saludo.

The attachment is a ZIP archive containing the .


Its filename is the following:

  • C.Vitae.zip

The worm also sends e-mails to various addresses with the following server parts:

  • @movistar.es
  • @vodafone.es

Subject of the message is the following:

  • Msj Operador: Proteja su movil

Body of the message is the following:

  • Descarguese gratis el Antivirus para Nokias Series 60. (6630,6680,7610,7650,N70,N90), totalmente gratuito.

The message contains a link to a file with the following name:

  • Antivirus.sis
Spreading via shared folders

The worm searches for network drives.


The worm copies itself there using the following name:

  • msn.vbe
Other information

The following programs are terminated:

  • apvxdwin.exe
  • AVENGINE.exe
  • bdnagent.exe
  • bdswitch.exe
  • mcagent.exe
  • mcdetect.exe
  • navapsvc.exe
  • navapw32.exe
  • navw32.exe
  • pavcl.com
  • PavFires.exe
  • savscan.exe

Logon passwords of some users may be changed to the following:

  • Leslie

Please enable Javascript to ensure correct displaying of this content and refresh this page.