Kontakt
Über Avira
Presse
Beta-Test
Language:
Deutsch
English
Deutsch
Français
Español
Italiano
Português
Русский
Privatanwender
Avira Antivirus Premium
Avira Internet Security
Unternehmen
Client/Server
Avira Professional Security
Avira Server Security
Avira Business Security Suite
Avira Endpoint Security
Small Business
Managed Services
Gateways
Avira AntiVir MailGate
Avira MailGate Suite
Avira AntiVir Exchange
Avira AntiVir WebGate
Avira WebGate Suite
Avira AntiVir GateWay Bundle
Avira AntiVir SharePoint
Integrierte Technologie
Anti-Malware SDK (SAVAPI)
Antispam SDK (SPACE)
Rebranding & Bündelung
Gemeinsam zum Ziel
Avira AntiVir für KEN! 4
Avira AntiVir + AntiSpam für KEN! 4
Avira WebProtector für KEN! 4
Bildungsrabatt
Support
Privatanwender
Übersicht
Aktuelles
Video-Tutorials
Wissensdatenbank
Unternehmen
Übersicht
Aktuelles
Wissensdatenbank
Virenlabor
Virenbeschreibungen
Statistiken
VDF History
In-the-Wild-Viren
Virenlexikon
Verdächtige Datei übermitteln
Download
Produktdownloads
Technische Dokumentation
Product Lifecycle
VDF Update
Partner
Partnersuche
Partner werden
Affiliate
Free
Download
Suche
Zusammenfassung
Vollständige Beschreibung
Statistiken
Alias:
I-Worm.Elva
Type:
Worm
Size:
7.174 Bytes
Origin:
Date:
08-25-2000
Damage:
Sent by email.
VDF Version:
6.23.00.00
Danger:
Low
Distribution:
Low
Distribution
The worm sends itself by email to all addresses found in Outlook. The email looks like this:
Hello Jo,
Happy birthday ELVA forever.
This I made birthday card for you,
Please open it and I hope you like.
Technical Details
The virus creates the file FS.VBE in C:\
%WINDIR%
\ and then copies it in C:\
%WINDIR%
\%SYSTEMDIR%\FS.VBS.
It generates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\FS "C:\WINDOWS\SYSTEM\FS.VBS"
The virus is loaded by every system start.
HKCU\Software\Microsoft\Office\9.0\Word\Security\Level "1"
Sets the Word 9 security level to "low".
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1201 "0"
The current user can run ActiveX control items, which are not secure, on the local computer.
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1201 "0"
Unsecure ActiveX control items can be run on the local computer.
HKLM\Software\Microsoft\FSD; HKLM\Software\Microsoft\FSW
Here the current day is saved.
HKLM\Software\Microsoft\FSH; HKLM\Software\Microsoft\FSV
The complete virus code is saved here.
The file CARD.HTA is attached and sent to all entries in MS Outlook Address Book.
The Internet address "http://www.jasonnet.cc/elva" is sent to Favourites, as "Elva's Page".
The worm searches for all VBS files and replaces their code with its own.
Then, it links to Windows scripting host all the files of type: *.JS; *.JSE; *.GIF; *.JPG; *.MP3; *.WSH; *.WSF; *.WSC; *.SHS; *.SCT. These files will then be treated as VBS files.
The virus infects the Word templates. A small programming error prevent the infection of all Word documents. But it is to be expected that newer versions of the virus will correct this error.
A window will show the following message:
"Happy Birthday"
Three days after the virus is activated, it scans the harddisk. It will overwrite its virus code in the files with extension: *.JS; *.JSE; *.GIF; *.JPG; *.MP3; *.WSH; *.WSF; *.WSC; *.SHS; *.SCT.
On August, 24th. of any year, the following message appears on the screen:
.=Happy birthday=.
I love ELVA 4 ever
Die Beschreibung wurde erstellt von Crony Walker am Dienstag, 15. Juni 2004
zurück
.
.
.
.
