W32/Trilisa-A

Discussion in 'malware problems & news' started by TonyKlein, Apr 23, 2002.

Thread Status:
Not open for further replies.
  1. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,347
    Location:
    The Netherlands
    Name: W32/Trilisa-A
    Type: Companion virus
    Date: 23 April 2002

    A virus identity file (IDE) which provides protection is
    available now from our website and will be incorporated
    into the June 2002 (3.5:cool: release of Sophos Anti-Virus.

    At the time of writing Sophos has received no reports from users
    affected by this virus. However, we have issued this advisory
    following enquiries to our support department from customers.

    Description:

    W32/Trilisa-A is a companion virus which overwrites EXE and SCR
    files. The virus gives the original files an EX_ extension but
    then deletes some of them (e.g. WSCRIPT.EX_, RUNDLL.EX_,
    SETVER.EX_, TASKMON.EX_, TASKMAN.EX_ and others).

    W32/Trilisa-A is also able to spread via Microsoft Outlook. The
    virus sends emails with the following characteristics to all
    addresses in the Outlook address list:

    Subject line: Mira esto, jajaja, te vas a reir!!
    Message text: Jajajaja!!! Es la ostia!! Miralo!!
    Attached file: OperacionTriunfo.scr

    The virus copies itself to A:pOLVAZO.SCR,
    C:\OPERACIONTRIUNFO.SCR and C:\SYSTEM32 - VERONICA LA
    MEJOR!!.EXE. It then adds values to the following registry
    entries to run itself on system restart and every time an EXE
    file is executed:

    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    HKLM\Software\CLASSES\exefile\shell\open\command\Default

    The virus also drops the files C:\COMMAND.COM.VBS, C:\X.VBS and
    C:\EUROVISION.VBS and adds values to the following registry
    entries to run these files on system restart:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    COMMAND.COM.VBS emails the virus, as described above.

    EUROVISION.VBS deletes files with the extensions ZIP, ARJ, GIF,
    RAR, ACE, MP3, TXT, RTF, JS, PPT BMP, JPEG, JPG and several
    others.

    X.VBS displays the following messages:

    "I-Worm Elisabeth by Zirkov"
    "HECHO EN ADMIRACION A GIGABYTE"
    "RECUERDOS A TODAS MIS COMPANERAS DE MERYLAND CURSO 99-01 CURSO
    99-01"
    "HECHO EN ESPANA - ABRIL 2002"

    The VBS files dropped by this virus are detected by Sophos
    Anti-Virus as W32/Trilisa-A.
     
  2. FanJ

    FanJ Guest

    Read the analysis at

    http://www.sophos.com/virusinfo/analyses/w32trilisaa.html
     
Thread Status:
Not open for further replies.