high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for disinfecting PE executables.
Please read the instructions for removing PE executable viruses.
You will also need to edit the following registry entry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
The virus will have added the text "C:\<Windows>\APPBOOST.EXE to each of the HKEY_CLASSES_ROOT registry entries listed above. They should be edited to remove this text:
HKCR\exefile\shell\open\command = "%1" %*"
HKCR\scrfile\shell\open\command = "%1" /S"
HKCR\comfile\shell\open\command = "%1" %*"
HKCR\batfile\shell\open\command = "%1" %*"
HKCR\piffile\shell\open\command = "%1" %*"
HKCR\cmdfile\shell\open\command = "%1" %*"
Note: delete only the path and name of the virus. Do not delete anything else.
Close the registry editor.
More Information
W32/Appix-E is a virus which infects files with the extensions EXE, COM, BAT, PIF, SCR, CMD and MSI.
W32/Appix-E can spread by emailing itself via SMTP or MAPI and via IRC channels.
W32/Appix-E exploits the vulnerability in certain versions of Microsoft Internet Explorer, Outlook Express and Outlook which allows automatic execution of an attached file when viewing an infected email message.
W32/Appix-E copies itself to the Windows folder as the files APPBOOST.EXE and APPBSVC.EXE and sets the following registry entries:
HKCR\exefile\shell\open\command = "C:\<Windows>\APPBOOST.EXE "%1" %*"
HKCR\scrfile\shell\open\command = "C:\<Windows>\APPBOOST.EXE "%1" /S"
HKCR\comfile\shell\open\command = "C:\<Windows>\APPBOOST.EXE "%1" %*"
HKCR\batfile\shell\open\command = "C:\<Windows>\APPBOOST.EXE "%1" %*"
HKCR\piffile\shell\open\command = "C:\<Windows>\APPBOOST.EXE "%1" %*"
HKCR\cmdfile\shell\open\command = "C:\<Windows>\APPBOOST.EXE "%1" %*"
Thus the virus is run before any EXE, COM, CMD, BAT, SCR or PIF file.
Emails have the following characteristics:
The subject line is one of:
A nice Screensaver of
Ein netter Screensaver von
New Version of
Eine neue Version von
Important!:
Wichtig!:
and one of:
Pamela Anderson
Angelina Jolie
Anna Kournikova
Porn Screensaver
Sex ScreenSaver
TvTool
Flashget
WarezBoardAccess
Undelivarable Email
Brute Force Tool
Kundigung (Provider)
The attached file is one of:
PamAnderson.scr
Jolie.scr
AnnaKournikova.scr
XXX.scr
FreeSex.exe
TvTool.exe
FlashGet.exe
WarezBoardAccess.exe
Undelivarablemail.exe
BestTool.exe vertrag.exe
W32/Appix-E attempts to terminate processes with the following names:
ANTIVIR
AVP32
AVPCC
NOD32
NPSSVC
NRESQ32
NSCHED32
NSCHEDNT
NSPLUGIN
NAV
NAVA
PSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
AVPM
ALERTSVC
AMON
N32SCANW
NAVWNT
AVPUPD
AVGCTRL
AVWIN95
SCAN32
VSHWIN32
F-STOPW
F-PROT95
ACKWIN32
VETTRAY
SWEEP95
PCCWIN98
IOMON98
AVPTC
AVE32
AVCONSOL
FP-WIN
DVP95
F-AGNT95
CLAW95
NVC95
SCAN
VIRUS
LOCKDOWN2000
NORTON
MCAFEE
ANTIVIR
FIREWAL
VET95
SAFEWEB
WEBSCANX
ICMON
CFINET
AVP.EXE
ZONEALARM
AMON.EXE
PCCIOMON
PCCMAIN
POP3TRAP
WEBTRAP
AVSYNMGR
NMAIN
LUALL
LUCOMSERVER
IAMAPP
ATRACK
IAMSERV
PCFWALLICON
TDS2-98
TDS2-NT
VSECOMR
NISSERV
NISUM
F-PROT
AOL
W32/Appix-E may also infect PHP and PHTML files by appending them with script that is intended to spread through PHP, PHTML, HTM and HTML files.
Finally W32/Appix-E drops and executes VBS/Appix-E and REG/Appix-E within the Windows folder as APPBOOST.VBS and APPBOOST.REG respectively.
|
