W32/Appflet-A

Aliases	W32.Appflet.A@mm
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email attachments
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	21 June 2005 13:54:26 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Appflet-A is a mass mailing worm for the Windows platform that sends itself
to email addresses harvested from the infected computer.

W32/Appflet-A may arrive in an email with the following characteristics:

Subject line: Actors Sexy Pictures! (Axe Sexye Bazigarhaye Cinema)

Message text: chosen from:

Hi my friend. This is a funny sexy actors pictures. Enjoy it!!

Salam be tamamie baro bach inam ye collectione bahal az axaye sexye bazigaraye cinamast. bebinid va faghat Bekhandid!! ;)

Attachment: ActorsGallery.zip W32/Appflet-A is a mass mailing worm for the Windows platform that sends itself
to email addresses harvested from the infected computer.

W32/Appflet-A may arrive in the email with the following characteristics:

Subject line: Actors Sexy Pictures! (Axe Sexye Bazigarhaye Cinema)

Message text: chosen from:

Hi my friend. This is a funny sexy actors pictures. Enjoy it!!

Salam be tamamie baro bach inam ye collectione bahal az axaye sexye bazigaraye cinamast. bebinid va faghat Bekhandid!! ;)

Attachment: ActorsGallery.zip

When run W32/Appflet-A

-displays the following fake error message "The installation has failed to start because _agl43.dll was not found. Re-installing the application may fix this problem." with the title "error loading dll"

-copies itself to:

<Windows>\msgex32.exe
<System>\InstallGallery.exe
<System>\ircmgmt.exe

where msgex32.exe and ircmgmt.exe are filenames randomly created from the following strings:

mgr
mgmt
ex32
svc
explore
pw32
info
pager
alert
reg
sys
win
msg
reg
update
inet
pager
yahoo
msn
irc

-creates the following files:

<Windows>\Flagex.Flg
<System>\ActorsGallery.zip
<System>\sysfile.dat
<System>\zippwdinfo.dat

where ActorsGallery.zip is a password protected zipped copy of the worm and
zippwdinfo.dat is a data file that contains the password.

The following registry entry is created to run msgex32.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msgex32
<Windows>\msgex32.exe

The following registry entry is set, so that ircmgmt.exe is run when files with extensions of EXE are opened/launched:

HKCR\exefile\shell\open\command
(default)
<System>\ircmgmt.exe "%1" %*

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Appflet-A

Summary

Action

More Information