Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Aplore.A

Aliases: Aphex, I-Worm.Aphex, Psec

Win32/Aplore.A is a worm with a compressed body.  To operate it requires the operating system Windows 95 or later version.  It spreads in the form of a email file attachment or by means of a web page which the worm brings to the attention of user on IRC.  The worm arrives as file psecure20x-cgi-install.version6.01.bin.hx.com in an attachment of an email message with subject ".".  In the message body there is the only character - ".".  The file attachment is 319448 bytes in size. When unpacked it increases its size to 691712 bytes.

Note: In following text a symbolic inscription %windir%. is used instead of name of the directory where Windows is installed. Naturally, this can be different in any single installation.

When the user runs the file psecure20x-cgi-install.version6.01.bin.hx.com the worm is activated.  This file copies the worm, under the same name, into the directory %windir%/system.  Here it will also create the file explorer.exe containing second copy of the worm.  The worm is created in a registry run key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run entry Explorer and sets it to the file %windir%/system/explorer.exe. In this way the worm ensures its activation after a restart of the operating system.  The worm spreads by means of email using Visual Basic Script.  In the directory %windir%/system it will form file email.vbs.  This file sends the message with the worm in attachment to all users in the Microsoft Outlook Address Book and then deletes the file email.vbs.  In the directory %windir%/system the worm creates file index.html.  By means of tag HTML REFRESH it tries to run the file with the worm from the file psecure20x-cgi-install.version6.01.bin.hx.com.  The file creates the following page:


After a while it offers to copy the file psecure20x-cgi-install.version6.01.bin.hx.com:



After the worm infection, a built-in web server is activated. It offers to display the above mentioned file index.html.  The worm contains a code which by means of IRC tries to lure the user into opening a page on the infected computer.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without prior permission from Eset.

 

PROTECT YOUR COMPUTER!
ESET's NOD32 provides comprehensive, easy-to-use, and affordable protection from today's and tomorrow's threats. We put the malware expert inside the software, so you don't have to become one.

DOWNLOAD ESET NOD32 ANTI VIRUS SOFTWARE

 

 

Solutions - Products - Purchase - Download - Support - Threat Center - Partners - Company - Global Sites
© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.