[virusinfo] W32/Appflet-A

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Tue, 21 Jun 2005 08:23:01 -0700

From; Sophos Alert System:

Name: W32/Appflet-A
Aliases: W32.Appflet.A@mm
Type: Win32 worm
Date: 21 June 2005

Sophos has issued protection for W32/Appflet-A.

At the time of writing, Sophos has received a small number of
reports of this worm from the wild.

Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.


Information about W32/Appflet-A can be found at:
http://www.sophos.com/virusinfo/analyses/w32appfleta.html

W32/Appflet-A is a mass mailing worm for the Windows platform that sends itself
to email addresses harvested from the infected computer. 
W32/Appflet-A may arrive in the email with the following characteristics: 
Subject line: Actors Sexy Pictures! (Axe Sexye Bazigarhaye Cinema) 
Message text: chosen from: 
Hi my friend. This is a funny sexy actors pictures. Enjoy it!! 
Salam be tamamie baro bach inam ye collectione bahal az axaye sexye bazigaraye 
cinamast. bebinid va faghat Bekhandid!! ;) 
Attachment: ActorsGallery.zip 
When run W32/Appflet-A 
-displays the following fake error message "The installation has failed to 
start because _agl43.dll was not found. Re-installing the application may fix 
this problem." with the title "error loading dll" 
-copies itself to: 
<Windows>\msgex32.exe
<System>\InstallGallery.exe
<System>\ircmgmt.exe 
where msgex32.exe and ircmgmt.exe are filenames randomly created from the 
following strings: 
mgr
mgmt
ex32
svc
explore
pw32
info
pager
alert
reg
sys
win
msg
reg
update
inet
pager
yahoo
msn
irc 
-creates the following files: 
<Windows>\Flagex.Flg
<System>\ActorsGallery.zip
<System>\sysfile.dat
<System>\zippwdinfo.dat 
where ActorsGallery.zip is a password protected zipped copy of the worm and
zippwdinfo.dat is a data file that contains the password. 
The following registry entry is created to run msgex32.exe on startup: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msgex32
<Windows>\msgex32.exe 
The following registry entry is set, so that ircmgmt.exe is run when files with 
extensions of EXE are opened/launched: 
HKCR\exefile\shell\open\command
(default)
<System>\ircmgmt.exe "%1" %* 

The W32/Appflet-A virus identity file (IDE) includes detection for:


W32/Rbot-AFW
http://www.sophos.com/virusinfo/analyses/w32rbotafw.html
Troj/Deprep-A
http://www.sophos.com/virusinfo/analyses/trojdeprepa.html
W32/Rbot-AFX
http://www.sophos.com/virusinfo/analyses/w32rbotafx.html
Troj/Zapchas-M
http://www.sophos.com/virusinfo/analyses/trojzapchasm.html
W32/Codbot-M
http://www.sophos.com/virusinfo/analyses/w32codbotm.html

Customers with 3.xx or lower versions of Sophos Anti-Virus, 
who are not running EM Library, can manually download the IDE
for W32/Appflet-A from:

http://www.sophos.com/downloads/ide/aflet-a.ide

Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Appflet-A

1. Home
2. virusinfo
3. Archive
4. 06-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---