high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | June 2008 (4.30) |
| Protection available since | 12 October 2007 18:28:48 (GMT) |
| Last updated | 25 April 2008 19:24:53 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Allaple-F is a worm for the Windows platform.
W32/Allaple-F spreads to other network computers protected by weak passwords.
When first run W32/Allaple-F moves itself to the Windows system folder with a randomly generated filename and registers itself as a new file system driver service named "MSWindows", with a display name of "Network Windows Service" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\MSWindows
W32/Allaple-F copies itself to folders on the target computer (including the local computer) using randomly generated filenames of the form ????????.exe where ? is a character a-z. A new CLSID registry entry is created for each copy as follows:
HKCR\CLSID\{????????-????-????-????-????????????}
W32/Allaple-F also infects HTM and HTML files on the target computer, inserting an OBJECT tag after the opening HTML tag as follows:
<OBJECT type="application/x-oleobject"CLASSID="CLSID:????????-????-????-????-????????????"></OBJECT>
where ????????-????-????-????-???????????? is the CLSID of one of the copies. This will cause the executble to be run when the HTML page is loaded by certain browsers.
Infected HTML files are detected separately as Troj/Allaple-A.
|
