We have received samples of Glieder.H variant late on August 31st 2004. Originally it was detected by us as 'Bagle.AK', but then the name was changed to 'Glieder.H'. The origin was an e-mail message that was spammed to numerous people. The e-mail contains an archive named FOTO.ZIP. Inside there's an HTML file and an EXE file named FOTO1.EXE.
Disinfection & Removal
This FOTO1.EXE file that was spammed in e-mails is a dropper. It drops and activates a DLL component that kills processes belonging to updating components of several anti-virus programs:
ATUPDATER.EXE AUPDATE.EXE AUTOTRACE.EXE AUTOUPDATE.EXE FIREWALL.EXE ATUPDATER.EXE LUALL.EXE DRWEBUPW.EXE AUTODOWN.EXE NUPGRADE.EXE OUTPOST.EXE ICSSUPPNT.EXE ICSUPP95.EXE ESCANH95.EXE AVXQUAR.EXE ESCANHNT.EXE UPGRADER.EXE AVXQUAR.EXE AVWUPD32.EXE AVPUPD.EXE CFIAUDIT.EXE UPDATE.EXE NUPGRADE.EXE MCUPDATE.EXE
Then it attempts to download to download a file from several websites. The list of URLs is hardcoded in the program's body.
F-Secure Anti-Virus detects Glieder.H starting from the following update:
Detection Type: PC
Description Created: Alexey Podrezov; August 31st, 2004
Description Last Modified: Tzvetan Chaliavski; September 1st, 2004