What is it?
pilif.exe is a file associated with the w32.Fili@mm worm.
What does it do?
W32.Fili@mm is a generic Visual Basic worm that propagates via
Microsoft Outlook and through peer-to-peer file-sharing networks. It
can also spread via mIRC.
When W32.Fili@mm runs, it performs the following actions:
- Copies itself to %System%pilif.exe.
Note: %System% is a variable that refers to the System folder.
By default, this is C:WindowsSystem (Windows 95/98/Me),
C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows
XP). - Adds the value:
"Pilif" = "%System%pilif.exe"
to the registry key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
so that the worm runs when Windows starts. - Creates the following files:
- %System%adrbook
- mIRC folderManifesto Anti Censore Pilif.txt.exe
- Searches for KaZaA, Morpheus, eDonkey, Grokster, limewire, ICQ, and WinMX-shared directories and copies itself as:
- Norton 2004 crack
- Kasperky AV Universal Key
- Dark Coderz Alliance
- Anti-hacker Utility
- Cracks mega warez collection
- Sex - totally free porn
- Easy credit card validation
- Yahoo hacker
- Webmail official hacker
- Free porn sites accounts
- Adds the value:
"DisableTaskMgr" = "00000001"
To the registry key:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
PoliciesSystem
to disable the task manager.
More info and removal instructions
@symantec