Summary
Summary
Action- More Information
| Included in our products from | May 2002 (3.57) |
|---|---|
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP
In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Explorer = "<windows system folder>\explorer.exe"
and delete it if it exists.
Close the registry editor.
More Information
W32/Aplore-A is a Win32 worm which uses Microsoft Outlook to spread. It copies itself into the Windows system directory as explorer.exe and
psecure20x-cgi-install6.01.bin.hx.com and adds the following value to the registry to run itself on Windows startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Explorer = "<windows system folder>\explorer.exe"
When run, the worm drops and runs the VBScript email.vbs which attempts to send an email with the worm files attached to all contacts from the Outlook address book.
These emails have the following characteristics:
Subject line:
.
Message body:
.
Attached file:
psecure20x-cgi-install.version6.01.bin.hx.com
W32/Aplore-A also contains an IRC client and an HTTP server. Before the internal web server is started, the worm drops the file index.html which acts as a homepage for the server. When the server is started, it listens for a connection on port 8180.
The IRC client attempts to connect to an IRC server and join several channels with a nickname randomly chosen from a list of female names stored in the worm code. The worm sends messages containing a link to the infected computer's web server to the IRC channels. The messages sent to the IRC channel contain the text "FREE PORN:" and the IP address of the infected computer.
If a user attempts to connect to the server then the server sends the previously dropped index.html.
|
