VBS/Ilsela [Threat Name] go to Threat
VBS/Ilsela.A [Threat Variant Name]
| Category | worm |
| Detection created | Sep 16, 2006 |
| Detection database version | 1759 |
| Aliases | VBS/Alien.gen@MM (McAfee) |
| VBS.SSIWG.gen@mm (Symantec) |
Short description
VBS/Ilsela.A is a worm that spreads via e-mail and shared folders. It is written in VBScript .
Installation
When executed, the worm creates the following folder:
- C:\MSOCache
The worm copies itself there using the following name:
- msn.vbe
The contents of the folder are then compressed using WinRAR or WinZIP .
The following file is produced:
- c:\Windows\Fonts\C.Vitae.zip
The worm copies itself to the following locations:
- %system%\msn.vbe
- %windir%\system\msnmsgr.vbe
- %windir%\system32\IEXPLORE.vbe
- C:\windows\System\msnmsgr.vbe
- C:\windows\System32\IEXPLORE.vbe
- C:\Windows\System32\Setup\Messenger.vbs
The worm creates the following files:
- C:\Documents and Settings\All Users\Desktop\Internet Explorer.lnk
- C:\Documents and Settings\All Users\Desktop\MSN Messenger.lnk
- C:\Documents and Settings\All Users\Escritorio\Internet Explorer.lnk
- C:\Documents and Settings\All Users\Escritorio\MSN Messenger.lnk
These are shortcuts to files of the worm .
In order to be executed on every system start, the worm sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "MSN Messenger" = "C:\Windows\System32\Setup\Messenger.vbs"
The following Registry entries are set:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings]
- "Timeout" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
- "NoAdminPage" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp]
- "Disabled" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
- "NoDrives" = 67108863
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
- "DisableRegistryTools" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
- "NoRun" = 1
Spreading via e-mail
E-mail addresses for further spreading are searched for in local files with one of the following extensions:
- asp
- aspx
- cfm
- ctt
- dbx
- eml
- hta
- htm
- html
- htt
- htx
- ini
- nfo
- php
- shtml
- wab
- xls
Text of the e-mail sent is in (ESP) .
Subject of the message is the following:
- Adjunto Curriculum Vitae para posible vacante.
Body of the message is the following:
- Adjunto Currilum Vitae, por estar interesado en algún puesto vacante en su empresa,me encantaria que lo tuviera en cuenta, ya que estoy buscando trabajo por esa zona. Sin más, reciba un cordial Saludo.
The attachment is a ZIP archive containing the .
Its filename is the following:
- C.Vitae.zip
The worm also sends e-mails to various addresses with the following server parts:
- @movistar.es
- @vodafone.es
Subject of the message is the following:
- Msj Operador: Proteja su movil
Body of the message is the following:
- Descarguese gratis el Antivirus para Nokias Series 60. (6630,6680,7610,7650,N70,N90), totalmente gratuito.
The message contains a link to a file with the following name:
- Antivirus.sis
Spreading via shared folders
The worm searches for network drives.
The worm copies itself there using the following name:
- msn.vbe
Other information
The following programs are terminated:
- apvxdwin.exe
- AVENGINE.exe
- bdnagent.exe
- bdswitch.exe
- mcagent.exe
- mcdetect.exe
- navapsvc.exe
- navapw32.exe
- navw32.exe
- pavcl.com
- PavFires.exe
- savscan.exe
Logon passwords of some users may be changed to the following:
- Leslie