Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Slow
Geographical info: Europe, North and South America, and some parts of Asia and Australia
Removal: Easy
Platform: W32
Discovered: 02 Apr 2002
Damage: Low

Characteristics: W32.Entangle.Worm is a mass mailing email worm which contains a malicious code that propagates by sending itself via email. Typically, a mass mailing email worm uses its own SMTP engine to send itself, thus copies of the sent worm will not appear in the infected user’s outgoing or sent e-mail folders. The worm sends itself to the email addresses it gathers from the files on an infected computer. You may see an attachment containing.exe, .scr, or .zip file extension. It also alters local hosts file to prevent access to various websites. It displays a message box saying, “C:\WINDOWS\TEMP\ACHTUNG.EXE is not valid Win32 application.” And the user will then be prompted to press “Ok” button. Reports also say that it is known as backdoor worm that continuously multiplies itself to all the window system folders of the compromised computer.

More details about W32.Entangle.Worm

System folders may contain these files when this worm is present in the computer: Kernel32.exe, Win32DLL.exe, WinFAT32.exe, WinApi32.exe, MpSrvr32.exe, Msgsrv.exe, Pstore32.exe and Dfg32.exe.Once it is in the computer, it may also change system settings. On Windows 95/98/Me computers, the worm also changes the shell line in the boot section of the System.ini. Especially with the registry keys, it also alters windows registries in order for it to run during each windows startup. Majority of Windows Operating Systems are affected by this worm.This worm can collect all of the email addresses in your contact folder because it makes and runs a Visual Basic script that can be seen in Temp folder named as send.vbs. The windows temp folder is the primary folder through which this worm usually saves its duplicates. The worm continuously finds this folder in order for it to spread on the compromised computer. The worm will send email with the following characteristics on its subject, Nice Tool, Geschenk, Joke!, Wichtig!, Einladung, Cool, Update, Info, Achtung!, Gehard Schr÷der, Papst, Mitteilung, Neuigkeit and *G*. While the message body contain any of the following, “FICKEN!, Hi! Anbei das neue Desktop Tool 3.11! HAHAHA! Das MUSST du dir anschauen...Bills bester Freund *g* Neustes Outlook Update....anbei die Wegbeschreibung Schau dir mal das Video an, es gibt gewisse Ähnlichkeiten mit Dir! Moorhuhn Version 3.11! Achtung neuer Virus gefunden! Ich hab Dir das neue Demo von *LPL* geschickt! Tolles Portrait!von unserem Gerhard!"&vbcrlf&"haha Jetzt wissen wir warum! Hallo, Achtung es kursiert ein sehr gefährlicher Virus! Ich habe dir schon mal den Virus-Check dafür an die Mail gehängt. Führ den Check bitte aus! Der Virus löscht nämlich dein komplettes Windows. Ciao bis dann! Endlich mal was wirkilch neues.”

The email also has “.exe” attachments like Desk.exe, Geschenk.exe, Joke.txt.scr, Outlockupt.exe, Einladung.exe, Cool.exe, Moorhuhn.exe, Info.rtf.scr, Achtung.exe, Politiker.bmp.scr, Papst.exe, VirFix.exe, Neuigkeit.exe, nude.exe and Titten.exe file. The first thing that the W32.Entangle.Worm program could do is to download and install files through internet browser and put it inside the system. The downloading and installing can come from different applications such as the backdoor Worms, however for the W32.Entangle.Worm program, the websites visited by the users. It would conceal its files to be able to do the damage. When its files are executed, the Worm can now do its malicious activity through the use of commands being managed by the remote server. All this can be executed without the user’s knowledge.