W32/Appflet-E

Aliases	Email-Worm.Win32.Arman.e W32/Aflet.worm Win32/Arman.NAD W32.Appflet.A@mm
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary


How it spreads	Email attachments Chat programs
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	September 2006 (4.09)
Protection available since	8 August 2006 13:27:43 (GMT)
Detected by	All Sophos products

W32/Appflet-E is a worm for the Windows platform.

W32/Appflet-E sends itself out to email addresses harvested from the infected computer or spreads via Instant Messenger applications.

W32/Appflet-E may arrive in an email with the following characteristics:

Subject line: Actors Sexy Pictures! (Axe Sexye Bazigarhaye Cinema)

Message text:

'Hi my friend. This is a funny sexy actors pictures. Enjoy it!!

Salam be tamamie baro bach inam ye collectione bahal az axaye sexye bazigaraye cinamast. bebinid va faghat Bekhandid!! ;)

Password : '

When first run W32/Appflet-E displays the following fake error message:

Title: 'error loading dll'

Message text:

'The installation has failed to start because _agl43.dll was not found. Re-installing the application may fix this problem.'

When first run W32/Appflet-E copies itself to:

<Windows>\syspager.exe
<System>\InstallGallery.exe
<System>\yahoosvc.exe

and creates the following files:

<Windows>\Flagex.Flg
<System>\ActorsGallery.zip
<System>\sysfile.dat
<System>\zippwdinfo.dat

The following registry entry is created to run syspager.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
syspager
<Windows>\syspager.exe

The following registry entry is set or modified, so that yahoosvc.exe is run when files with extensions of EXE are opened/launched:

HKCR\exefile\shell\open\command
(default)
<System>\yahoosvc.exe "%1" %*

Get reports about the latest virus and spyware threats delivered to your computer