IRC-Worm.DOS.ElSpy.2278 or ElSpy.2278 is a DOS IRC worm.


ElSpy uses the mIRC client to spread. The user will see the file EL15_BMP.EXE on their DOS prompt. When this file is executed, the worm activates and creates a temporary file at C:\Windows\System and also overwrites the client's System.ini file to execute malicious code.

The worm will perform the following actions:

  • When a user enters an infected channel, the worm will copy the C:\WINDOWS\SYSTEM\EL15_BMP.EXE file to the victim's computer.
  • A user with the nickname EL15_Spy will join the chat and transmit the IP address and port address of the infected user.
  • If "EL15" appears on the channel, the victim's C: Drive will be seen as a network location
  • If "are_u" is typed into the chat, the worm will send the following message followed by the victim's IP address. "EL15_send_kisses_to_U_:)__come_on"

The worm contains this string:

Designed by Del_Armg0____26 Juin 1999____Keep It Load!
Magic�%Software (c) 1999


Securelist (Kaspersky Labs), IRC-Worm.DOS.ElSpy.2278