IRC-Worm.DOS.ElSpy.2278 or ElSpy.2278 is a DOS IRC worm.
ElSpy uses the mIRC client to spread. The user will see the file EL15_BMP.EXE on their DOS prompt. When this file is executed, the worm activates and creates a temporary file at C:\Windows\System and also overwrites the client's System.ini file to execute malicious code.
The worm will perform the following actions:
- When a user enters an infected channel, the worm will copy the C:\WINDOWS\SYSTEM\EL15_BMP.EXE file to the victim's computer.
- A user with the nickname EL15_Spy will join the chat and transmit the IP address and port address of the infected user.
- If "EL15" appears on the channel, the victim's C: Drive will be seen as a network location
- If "are_u" is typed into the chat, the worm will send the following message followed by the victim's IP address. "EL15_send_kisses_to_U_:)__come_on"
The worm contains this string:
Designed by Del_Armg0____26 Juin 1999____Keep It Load! Magic�%Software (c) 1999
Securelist (Kaspersky Labs), IRC-Worm.DOS.ElSpy.2278