W32/Aplore-A is a Win32 worm which uses Microsoft Outlook to spread. It copies itself into the Windows system directory as explorer.exe and
psecure20x-cgi-install6.01.bin.hx.com and adds the following value to the registry to run itself on Windows startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Explorer = "<windows system folder>\explorer.exe"
When run, the worm drops and runs the VBScript email.vbs which attempts to send an email with the worm files attached to all contacts from the Outlook address book.
These emails have the following characteristics:
Subject line:
.
Message body:
.
Attached file:
psecure20x-cgi-install.version6.01.bin.hx.com
W32/Aplore-A also contains an IRC client and an HTTP server. Before the internal web server is started, the worm drops the file index.html which acts as a homepage for the server. When the server is started, it listens for a connection on port 8180.
The IRC client attempts to connect to an IRC server and join several channels with a nickname randomly chosen from a list of female names stored in the worm code. The worm sends messages containing a link to the infected computer's web server to the IRC channels. The messages sent to the IRC channel contain the text "FREE PORN:" and the IP address of the infected computer.
If a user attempts to connect to the server then the server sends the previously dropped index.html.