Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 26 Jun 2007
Damage: Medium

Characteristics: W32.Ogleon.A is a worm that propagates via removable storage devices or media. It is also considered as a dropper of a copy of “Infostealer.Gampass” file on to the infected computer. It affects all Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003 and Windows 2000 Operating Systems. Once opened, it creates mutex “bat326exe” that ensures only one instance of the worm is running on the infected computer. File creation is also a part of its routine infection.

More details about W32.Ogleon.A

It creates files such as: usbine.sys, ctfnom.exe, dh2103.dll, dllhost32.exe, EBSPI.dll, mh104.dll, MOSOU.dll, mosou.exe, MsAudio.sys, nwizdh.exe, nwizfy.dll, nwizfy.exe, nwizhx2.dll, nwizhx2.exe, nwizqjsj.exe, nwiztlbb.dll, nwiztlbu.exe, nwizwlwzs.dll, nwizwlwzs.exe, nwizwmgjs.dll, nwizwmgjs.exe, nwizzhuxians.dll, nwizzhuxians.exe, Ravasktao.dll, Ravasktao.exe, ztinetzt.dll and ztinetzt.exe. It also copies itself on the current folder of the infected computer. These files include npptools.dll, Packet.dll, WanPacket.dll and npf.sys. Registry keys are also modified so that the worm will automatically run every time the windows start. The worm also has minimal remote capability through which it may contact this website, yz1.micyosoft.net.

Many experts state that a remote hacker can have unlimited power over the infected computer through the W32.Ogleon.A program. Spying is among the most common thing that a hacker would perform using this program. The hacker may possibly command the W32.Ogleon.A program to download and install spying tools like a keylogger to the infected machine. This spying tool may be used to record the victim’s computer activities and save the data to a log file. This log file may be sent to the remote attacker for his assessment.