W32/Annil-G is a Windows worm that spreads via email, network shares and file-sharing networks.
The worm harvests email addresses from files found on the system, and may use them to send attached copies of the virus via its own internal SMTP engine.
W32/Annil-G may disable features in file sharing programs designed to prevent the user from downloading executable files.
W32/Annil-G also attempts to close windows belonging to anti-virus software.
W32/Annil-G is a Windows worm that spreads via email, network shares and file-sharing networks. It drops several copies of itself (with random filenames) in the following folders:
(current directory)
<drive>\Shared
<drive>\Program Files\
<drive>\My Documents\
The worm may present the following dialog box during execution:
"File execution aborted: Unable to find MFC42.dll"
although may continue to run in the background.
The worm harvests email addresses from files found on the system, and may use them to send attached copies of the virus via its own internal SMTP engine. The attachments are a mixture of randomly generated and pre-defined file names.
Message bodies may contain:
New Billing
user,
We have started charging for our outgoing email and payment is expected
immediately.
Your invoice is attached.
Dear
Account Closure
user,
Your account is being closed due to your sending of the following file. See
attachment, we have strict rules on pornography.
Viral Infection
was recently attacked by hackers which resulted in a virus being activated on
the server. Please read the instructions on how to remove any viruses.
Attention:
Policy Reminder
Automated Reply: You are approaching your allocated data limit for the month,
a log of your recent activity is attached.
Re: Help
Automated Reply: Thank you for your concerns, you requested information is
attached. Downtime will be down for server repairs tommorow from (2AM - 6AM). It
is suggested you backup your address book, instructions have been included as an
attachment.
If you've been wondering why I haven't been staying in touch lately, it's
because I've been working on a program in my spare time. I've finally got it to
a testable state, and was wondering if you could give me feedback on it. Thanks
in advance.
I hope you're the one who asked for this, I don't really remember, but thought I
might as well send it anyway.
Well a lot of people haven't heard very much about my "injury", but my insurance
company said I should give this to everybody I know. Run it and you'll
understand everything.
Attention, Windows user:
We have detected a security gap within Windows internal dll's, we suggest all
users run this program which seals the gap. Otherwise, any damaged data will not
be compinsated for by Microsoft.
Sorry, I think I was supposed to send this earlier
Will this work for tommorow?
cool huh?
Ha. Remember this guy?
I'm typing this in a hurry, because I've got to go right away. But my computer
was infected by the Klez virus, and I didn't realize it until a few days ago.
You may have been infected as well. I apoligize!. This nifty little program
fixes everything if you have in fact, been infected.
Hey, I managed to get your password for your e-mail. I suggest you use this
utility (I attached it) to fortify your account and you can also use it to
retrieve other peoples passwords (don't try it on me, since I already used it to
protect mine). I'll keep my name secret, I don't want to get sued :) . BTW, I'm
sending this to more people than just you, but I used it on multiple people.
Hey, I found this on Download.com a while ago and forgot to send it too you. I
thought you may be interested. It should be attached, if it isn't just e-mail me
again.
The following message could not be sent because the recipients mailbox was full.
Security Signature: 188X-08305-RETNMAIL
The following message could not be sent because the recipients mailbox was no
longer available. Security Signature: 165X-08605-RETNMAIL
The following message could not be sent because the recipients mailbox was full.
Security Signature: 165X-08605-UNDLVRMAIL
Can you tell me what this is?
We have started a new billing procedure, see the attached invoice for more
information.
This message must have been sent to me by mistake, appearantly it's meant for
you. Don't worry I didn't read all of it :).
Your dad told me to send this to you, i think you'll understand.
I thought you might enjoy this. Birds are so funny.
Outlook:Secure text document attached.
I got this from my dad's old attorney, he said it could be very useful to you.
I did a search for your name and I think someone faked your emode.com test
results. See what you think:
Results automatically attached.
I have good reasoning! See the image quickly!
Evidence!
Why do you let the kids play this awful game?
The bomb threat you may get today might be real, see the image:
Someone wants me to report this without giving names.
This demands immediate attention.
Everytime I type the address it keeps redirecting me to this file.
I can't seem to get the site working, it always sends me to a URL with this
file. What's wrong?
Sorry to bother you, but when I try to load the site it always gives me this
file.
Everytime I try to load the site I get sent this file.
Is there any way to keep it from sending me this file? Thanks.
Keeps dloading this.
It directs me to this file.
W32/Annil-G also attempts to close windows belonging to anti-virus software.
W32/Annil-G may disable features in file sharing programs designed to prevent the user from downloading executable files.