We have received samples of Glieder.H variant late on August 31st 2004. Originally it was detected by us as 'Bagle.AK', but then the name was changed to 'Glieder.H'. The origin was an email message that was spammed to numerous people. The email contains an archive named FOTO.ZIP. Inside there's an HTML file and an EXE file named FOTO1.EXE.
Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
This FOTO1.EXE file that was spammed in emails is a dropper. It drops and activates a DLL component that kills processes belonging to updating components of several anti-virus programs:
ATUPDATER.EXE AUPDATE.EXE AUTOTRACE.EXE AUTOUPDATE.EXE FIREWALL.EXE ATUPDATER.EXE LUALL.EXE DRWEBUPW.EXE AUTODOWN.EXE NUPGRADE.EXE OUTPOST.EXE ICSSUPPNT.EXE ICSUPP95.EXE ESCANH95.EXE AVXQUAR.EXE ESCANHNT.EXE UPGRADER.EXE AVXQUAR.EXE AVWUPD32.EXE AVPUPD.EXE CFIAUDIT.EXE UPDATE.EXE NUPGRADE.EXE MCUPDATE.EXE
Then it attempts to download to download a file from several websites. The list of URLs is hardcoded in the program's body.