W32/Apost-A

Please follow the instructions for removing worms.

Windows NT/2000/XP

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
macrosoft = C:\windows\readme.exe.

and delete it if it exists.

Close the registry editor.

W32/Apost-A is an email-aware worm which makes use of the Microsoft Outlook mail client. It arrives in an email with the following characteristics:

Subject line: 'As per your request!'
Message body: 'Please find attached file for your review. I look forward to hear from you again very soon.  Thank you.'
Attached file: readme.exe

When the attached file is executed it will try to copy itself to the floppy drive. It will also copy itself to C:\windows\readme.exe and add the Registry key

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
macrosoft = C:\windows\readme.exe.

The worm then sends itself to people listed in the Outlook address book.

Finally W32/Apost-A displays a dialog box with the title 'Urgent!' and a single large button labelled 'open'. When clicked the worm will attempt to copy itself to the floppy drive again and will display another dialog box, this time with the title 'WinZip SelfExtractor: Warning' and the text 'CRC error: 234#21'.