From; Sophos Alert System: Name: W32/Appflet-A Aliases: W32.Appflet.A@mm Type: Win32 worm Date: 21 June 2005 Sophos has issued protection for W32/Appflet-A. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Information about W32/Appflet-A can be found at: http://www.sophos.com/virusinfo/analyses/w32appfleta.html W32/Appflet-A is a mass mailing worm for the Windows platform that sends itself to email addresses harvested from the infected computer. W32/Appflet-A may arrive in the email with the following characteristics: Subject line: Actors Sexy Pictures! (Axe Sexye Bazigarhaye Cinema) Message text: chosen from: Hi my friend. This is a funny sexy actors pictures. Enjoy it!! Salam be tamamie baro bach inam ye collectione bahal az axaye sexye bazigaraye cinamast. bebinid va faghat Bekhandid!! ;) Attachment: ActorsGallery.zip When run W32/Appflet-A -displays the following fake error message "The installation has failed to start because _agl43.dll was not found. Re-installing the application may fix this problem." with the title "error loading dll" -copies itself to: <Windows>\msgex32.exe <System>\InstallGallery.exe <System>\ircmgmt.exe where msgex32.exe and ircmgmt.exe are filenames randomly created from the following strings: mgr mgmt ex32 svc explore pw32 info pager alert reg sys win msg reg update inet pager yahoo msn irc -creates the following files: <Windows>\Flagex.Flg <System>\ActorsGallery.zip <System>\sysfile.dat <System>\zippwdinfo.dat where ActorsGallery.zip is a password protected zipped copy of the worm and zippwdinfo.dat is a data file that contains the password. The following registry entry is created to run msgex32.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msgex32 <Windows>\msgex32.exe The following registry entry is set, so that ircmgmt.exe is run when files with extensions of EXE are opened/launched: HKCR\exefile\shell\open\command (default) <System>\ircmgmt.exe "%1" %* The W32/Appflet-A virus identity file (IDE) includes detection for: W32/Rbot-AFW http://www.sophos.com/virusinfo/analyses/w32rbotafw.html Troj/Deprep-A http://www.sophos.com/virusinfo/analyses/trojdeprepa.html W32/Rbot-AFX http://www.sophos.com/virusinfo/analyses/w32rbotafx.html Troj/Zapchas-M http://www.sophos.com/virusinfo/analyses/trojzapchasm.html W32/Codbot-M http://www.sophos.com/virusinfo/analyses/w32codbotm.html Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for W32/Appflet-A from: http://www.sophos.com/downloads/ide/aflet-a.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member