Name: W32/Trilisa-A Type: Companion virus Date: 23 April 2002 A virus identity file (IDE) which provides protection is available now from our website and will be incorporated into the June 2002 (3.5 release of Sophos Anti-Virus. At the time of writing Sophos has received no reports from users affected by this virus. However, we have issued this advisory following enquiries to our support department from customers. Description: W32/Trilisa-A is a companion virus which overwrites EXE and SCR files. The virus gives the original files an EX_ extension but then deletes some of them (e.g. WSCRIPT.EX_, RUNDLL.EX_, SETVER.EX_, TASKMON.EX_, TASKMAN.EX_ and others). W32/Trilisa-A is also able to spread via Microsoft Outlook. The virus sends emails with the following characteristics to all addresses in the Outlook address list: Subject line: Mira esto, jajaja, te vas a reir!! Message text: Jajajaja!!! Es la ostia!! Miralo!! Attached file: OperacionTriunfo.scr The virus copies itself to AOLVAZO.SCR, C:\OPERACIONTRIUNFO.SCR and C:\SYSTEM32 - VERONICA LA MEJOR!!.EXE. It then adds values to the following registry entries to run itself on system restart and every time an EXE file is executed: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices HKLM\Software\CLASSES\exefile\shell\open\command\Default The virus also drops the files C:\COMMAND.COM.VBS, C:\X.VBS and C:\EUROVISION.VBS and adds values to the following registry entries to run these files on system restart: HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce COMMAND.COM.VBS emails the virus, as described above. EUROVISION.VBS deletes files with the extensions ZIP, ARJ, GIF, RAR, ACE, MP3, TXT, RTF, JS, PPT BMP, JPEG, JPG and several others. X.VBS displays the following messages: "I-Worm Elisabeth by Zirkov" "HECHO EN ADMIRACION A GIGABYTE" "RECUERDOS A TODAS MIS COMPANERAS DE MERYLAND CURSO 99-01 CURSO 99-01" "HECHO EN ESPANA - ABRIL 2002" The VBS files dropped by this virus are detected by Sophos Anti-Virus as W32/Trilisa-A.