Home / malware Win32.Aplore.A@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Aplore.A@mm is also known as W32.Aphex.A@mm.
Explanation :
This virus is an Internet worm written in
Delphi and packed with UPX.
The original file size is about 690 Kbytes.
The virus comes as an attached file in an e-mail with this form:
Subject: . (a single dot)
Body: . (a single dot)
Attachment: psecure20x-cgi-install.version6.01.bin.hx.com
When the user executes the attachement it copies itself in the system
directory as explorer.exe and as
psecure20x-cgi-install.version6.01.bin.hx.com.
It adds the value :
Explorer
"%System%Explorer.exe" (where
%System% is the Windows
System directory) to
the registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun.
It drops a small VBS
file which contains the script to send itself to all contacts from Outlook Address
Book using Microsoft Outlook. The e-mail has the format shown above.
The script is executed by the virus, and is deleteing itself after trying to send
the e-mails.
Also in the system directory
it drops a file index.html which
contains a link to the file psecure20x-cgi-install.version6.01.bin.hx.com
which will try to be automatically executed. The page looks like this:
Beside these files it creates a file aphex.jpg:
It tries to connect to the IRC (Internet Relay Chat) server irc.dal.net
to send itself to other people.
The nickname is chosen from a huge list of names stored in the virus body.
Also it contains a FTP server component which probably can be used as a backdoor.
If a component fails
to run proper it may display the following error message several times:Last update 21 November 2011
