Content

VBS/Eliles.A

Type
Virus
SubType
E-mail worm
Discovery Date
08/25/2006
Length
Minimum DAT
4840 (08/29/2006)
Updated DAT
4840 (08/29/2006)
Minimum Engine
5.1.00
Description Added
08/29/2006
Description Modified
08/29/2006 4:29 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This threat is detected as VBS/Alien.gen@MM with the 4840 DAT files.

VBS/Eliles.A travels by sending itself as an attachment to emails.  The worm claims to be an attached resume or C.V.  The message content is as follows:

Subject: Adjunto Curriculum Vitae para posible vacante.
Body: Adjunto Currilum Vitae, por estar interesado en algún puesto vacante en su empresa,me encantaria que lo tuviera en cuenta, ya que estoy buscando trabajo por esa zona. Sin más, reciba un cordial Saludo.

VBS/Eliles.A also sends out SMS messages to mobile phones.  The worm has two routines in it that calculate random phone numbers for two Mobile phone providers in Spain.  Email messages are sent to the SMS email gateways.

Subject: Msj Operador: Proteja su movil
Body:
Descarguese gratis el Antivirus para Nokias Series 60. (6630,6680,7610,7650,N70,N90), totalmente gratuito. http://f1.grp.yahoofs.com/v1/oHDmRCSTUJ2I3kbX4Kr8GMzmLAO7taS5yJIVcWx2F_6NWlo_LBonXVhAfgMBbxzzC4LoS8XSwl_-YO7ZMH01Sw/Antivirus.sis

The user receives an SMS claiming to be from the mobile operator and requesting them to download free antivirus software for their phone.  The link in the message belongs to an online discussion group.  It is not possible to determine the specific group from the URL.  The link to the Symbian SIS file is no longer active so we are not yet able to confirm that component of the malware.

VBS/Eliles.A is capable of sending itself via email so there is no reason for it to require a separate server to propagate.  Also no mobile phones are capable of running VBScript(VBS) files.  The fact that the link in the SMS is to a Symbian SIS file indicates that the malware is targeting Symbian phones

Symptoms

Presense of the following files:

  • C:\windows\System32\IEXPLORE.vbe
  • C:\windows\System32\msn.vbe
  • C:\windows\System32\msnmsgr.vbe
  • C:\windows\System\msnmsgr.vbe
  • C:\MSOCache\C.Vitae.vbe
  • C:\Windows\msdbgsrv.dll

 

Method of Infection

Mobile handset users need to be aware that an SMS can be received from an un-trusted source, much like email.  Therefore, much like email, users need to express caution before following instructions from unknown or unverified parties.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants

    N/A

All Information

Overview -

VBS/Eliles.A is a mass mailing worm that also sends SMS messages to mobile phones.   The SMS messages contain a download link to Symbian malware.

Characteristics

Characteristics -

This threat is detected as VBS/Alien.gen@MM with the 4840 DAT files.

VBS/Eliles.A travels by sending itself as an attachment to emails.  The worm claims to be an attached resume or C.V.  The message content is as follows:

Subject: Adjunto Curriculum Vitae para posible vacante.
Body: Adjunto Currilum Vitae, por estar interesado en algún puesto vacante en su empresa,me encantaria que lo tuviera en cuenta, ya que estoy buscando trabajo por esa zona. Sin más, reciba un cordial Saludo.

VBS/Eliles.A also sends out SMS messages to mobile phones.  The worm has two routines in it that calculate random phone numbers for two Mobile phone providers in Spain.  Email messages are sent to the SMS email gateways.

Subject: Msj Operador: Proteja su movil
Body:
Descarguese gratis el Antivirus para Nokias Series 60. (6630,6680,7610,7650,N70,N90), totalmente gratuito. http://f1.grp.yahoofs.com/v1/oHDmRCSTUJ2I3kbX4Kr8GMzmLAO7taS5yJIVcWx2F_6NWlo_LBonXVhAfgMBbxzzC4LoS8XSwl_-YO7ZMH01Sw/Antivirus.sis

The user receives an SMS claiming to be from the mobile operator and requesting them to download free antivirus software for their phone.  The link in the message belongs to an online discussion group.  It is not possible to determine the specific group from the URL.  The link to the Symbian SIS file is no longer active so we are not yet able to confirm that component of the malware.

VBS/Eliles.A is capable of sending itself via email so there is no reason for it to require a separate server to propagate.  Also no mobile phones are capable of running VBScript(VBS) files.  The fact that the link in the SMS is to a Symbian SIS file indicates that the malware is targeting Symbian phones

Symptoms

Symptoms -

Presense of the following files:

  • C:\windows\System32\IEXPLORE.vbe
  • C:\windows\System32\msn.vbe
  • C:\windows\System32\msnmsgr.vbe
  • C:\windows\System\msnmsgr.vbe
  • C:\MSOCache\C.Vitae.vbe
  • C:\Windows\msdbgsrv.dll

 

Method of Infection

Method of Infection -

Mobile handset users need to be aware that an SMS can be received from an un-trusted source, much like email.  Therefore, much like email, users need to express caution before following instructions from unknown or unverified parties.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants -

    N/A