Back to the Homepage
german version

An easy guide to build yourself a PC
Hardwaretests: Testresults and benchmarks
Viruses: Prophylaxis, identification, removal

All About PC - get in contact
All About PC - Impressum
Links

 Latest Reviews 

Click to read the review!
ABIT VP6
Click to read the review!
ASUS A7V133
Click to read the review!
EPOX 8KTA3+
Click to read the review!
DEEP OCEAN SCREEN SAVER

 Reviews 
 Virus Descriptions 


Danger
Diffusion

The NewApt-virus will kindly remove itself in June 2000.

W32.NewApt.worm:

Virus name

W32/NewApt.worm

Type

Internet worm 

Aliases

Worm.NewApt

Infection:
The worm is sighted 'in the wild' in states of europe, america and asia. It diffuses (naturally) with emails in an infected attachment. The known filenames of the attchment are:

PANTHER.EXE, FARTER.EXE, GADGET.EXE, BOSS.EXE, IRNIGANT.EXE, MONICA.EXE, CASPER.EXE, SADDAM.EXE, FBORFW.EXE, PARTY.EXE, CUPID2.EXE, HOG.EXE, GOAL1.EXE, BBOY.EXE, PIRATE.EXE, BABY.EXE, VIDEO.EXE, GOAL.EXE, COPIER.EXE, THEOBBQ.EXE, COOLER1.EXE, PANTHR.EXE, COOLER3.EXE, CHESTBURST.EXE, G-ZILLA.EXE.

The subject of the infection mail is "Just for your eyes" or "Re: Just for your eyes". The mail may content text or not. If the attached EXE-File is executed, the worm will get control to your PC.

Payload:
If the worm is executed, it copies itself into the Windows-directory using its current name mentioned above. Then it registrates its copy in the registry editor under the key
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
with different entries (respectively to the filename) and the value "C:\WIN\EXE-Filename /x". This entry takes care for the execution of the virus at every systemstart. After this the worm shows the following message on the screen:

The dynamic link library giface.dll could not be found in specified path
D:\SAMPLES;C:\WINDOWS\SYSTEM;C:\WINDOWS;C:\WINDOWS\COMMAND

which is intended to mask its existence and lead to a restart.
Further it creates and initializes the following registry keys under  HKEY_CURRENT_USER\Software\Microsoft\Windows:
  itn = , cat = , cd = , lk= , lms= , mda= , mde= .
The wormn registrates itself as a service and so it is executed unvisible at every start. Here it searches on every harddisk drive for internet-files (MS Mail, Outlook Express, Netscape Navigator etc.) and opens these files and sends itself to the found emailadresses.

Removal:
To remove the virus from your PC,  you must delete the 'Run'-entry in the registry and thereafter remove the infected files. Norton Anti Virus offers an update. Download it: Download Virus Definition Updates

Remarks:
The worm deletes itself at June, the 12th in 2000 by removing the 'Run'-value from the registry, After this it will not be executed when you start the computer. If the date-value is set to a value before 06/12/2000, an infected EXE-file can restart an infection on your PC.

Copyright by All-About-PC. All rights reserved.
All information on this website is protected by international law. Any reproduction or publication without the agreement of the editorial office is prohibited. Please respect the work of others. 
Although all information on this website is hardly recherched and mostly checked and confirmed from secondary side, we do not take the responsibillity for any damage originated from the use of the information on our site.