W32/Allaple-E is a network worm for the Windows platform.
W32/Allaple-E spreads to other network computers by copying itself to network shares protected by weak passwords.
W32/Allaple-E searches the local computer for files with an extension of HTM or HTML and then:
- creates a randomly named polymorphic copy of itself in the same folder as the HTM/HTML file.
- registers the copy as a COM object, creating a new entry under HKCR\CLSID\<variable CLSID>
- inserts a new OBJECT tag/element into the HTM/HTML file immediately after the opening HTML tag/element, containing a CLASSID= value matching the CLSID of the new executable copy.
This causes the executable copy to be launched when the HTM/HTML page is opened with certain browsers.
When first run W32/Allaple-E copies itself to the Windows system folder as urdvxc.exe and registers this file as a new file system driver service named "MSWindows", with a display name of "Network Windows Service" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\MSWindows