Aliases: BlackAngel.A
Variants: W32.Jesse

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 26 May 2006
Damage: Medium

Characteristics: The W32.Sejese application is a worm that spreads through MSN Messenger, deletes files from the infected computer, and lowers down the computer's security settings.

More details about W32.Sejese

Once the worm is opened, W32.Sejese duplicates itself as “%System%\drivers\etc\jesse.exe”. It looks for all the files in the foot folder of the drives A and C. For every file located, the worm makes a duplicate of itself as “[EXISTING FILE NAME].exe” and removes the original file. Then, the worm makes the “A:\Autor.txt” and “C:\Autor.txt” files. After that, the worm changes a value in the registry key to stop the Task Manager. It also adds a value in the registry key so that it is opened each time the Windows starts. The W32.Sejese program lowers the setting of the security by ending the processes such as “_AVPCC”, “ACKWIN32”, “AD-AWARE”, “ADMINTOOL”, “ADVXDWIN”, “AGENTA”, “AGENTSVR”, “ALERTSVC”, “ALOGSERV”, and “AMON9X”. After that, the worm tries to close window with titles such as “Administrador de tareas de Windows”, “Panel de control”, “Editor del Registro”, “Utilidad de configuracin del sistema”, and “Restaurar sistema”.

The program is identified as a network worm. The W32.Sejese application propagates itself through Internet Relay Chat (IRC) channels. The program exploits the vulnerabilities of the Windows operating system. The security gaps allow the application to execute on the connected computers with administrator privileges. The program utilizes network shares protected with weak passwords and unsecured folders to distribute threats to the computers within the network. The application is encrypted with a predefined list of user names and passwords to be used on secured network shares.