W32/Aplore.A@mm
| W32/Aplore.A@mm |
Destructivity:  Spreading: Overall risk: 
|
| • Detected by virus detection files published: 4/8/2002 | • Type: Worm |
| • Virus characteristics first published: 4/8/2002 | • Spreading mechanism: Email, Webpage, IRC, Other |
| • Virus characteristics latest update: 12/17/2003 | • Overall risk: Low |
| • Alias: W32/Psec.A, W32.Aphex, I-Worm.Aphex, WORM_PSECURE.A | • Payload: |
| • Infection type: Microsoft Windows 95/98/98 SE/ME/NT 4/2000/XP/2003/Vista |
| Virus type |
Spreading mechanism |
Destructivity and payload |
Additional descriptions |
Detection and removal |
||||||||||
Email characteristics:
This fake Explorer copy is also pointed to from the Registry: HKLM\Software\Microsoft\windows\CurrentVersion\Run EXPLORER = %SYSDIR%\EXPLORER.EXE After this it creates files INDEX.HTML, EMAIL.VBS and APHEX.JPG on the System directory. The file EMAIL.VBS is immediately spawned in WSCRIPT to mail the worm out to everyone in the address book. The worm now does something strange: It sets up a web server. The file INDEX.HTML previously mentioned is a web page which is served to people connecting to the infected machine. This web page looks something like this:  People thus connecting to an infected machine will be prompted to download and run the worm executable. Now why should people do this? Well, as it turns out, the worm is not finished. It connects to the Internet Relay Chat network and advertises the infected machine as a download point for pornographic material. Such messages can look like this: [catlee643] FREE PORN: http://free:porn@infected ip address:8180 [chrissy223] FREE PORN: http://free:porn@infected ip address:8180 This kind of advertising is also done via AOL Instant Messenger. |
||||||||||||||