FANDOM



IRC-Worm.DOS.ElSpy.2278 or ElSpy.2278 is a DOS IRC worm.

Payload

ElSpy uses the mIRC client to spread. The user will see the file EL15_BMP.EXE on their DOS prompt. When this file is executed, the worm activates and creates a temporary file at C:\Windows\System and also overwrites the client's System.ini file to execute malicious code.

Behavior

The worm will perform the following actions:

  • When a user enters an infected channel, the worm will copy the C:\WINDOWS\SYSTEM\EL15_BMP.EXE file to the victim's computer.
  • A user with the nickname EL15_Spy will join the chat and transmit the IP address and port address of the infected user.
  • If "EL15" appears on the channel, the victim's C: Drive will be seen as a network location
  • If "are_u" is typed into the chat, the worm will send the following message followed by the victim's IP address. "EL15_send_kisses_to_U_:)__come_on"

The worm contains this string:

Designed by Del_Armg0____26 Juin 1999____Keep It Load!
Magic�%Software (c) 1999

Sources

Securelist (Kaspersky Labs), IRC-Worm.DOS.ElSpy.2278

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.