W32.NewApt.worm:
Virus name |
W32/NewApt.worm |
Type |
Internet worm |
Aliases |
Worm.NewApt |
Infection:
The worm is sighted 'in the wild' in states of europe, america and asia. It
diffuses (naturally) with emails in an infected attachment. The known filenames
of the attchment are:
PANTHER.EXE, FARTER.EXE, GADGET.EXE, BOSS.EXE,
IRNIGANT.EXE, MONICA.EXE, CASPER.EXE, SADDAM.EXE, FBORFW.EXE, PARTY.EXE,
CUPID2.EXE, HOG.EXE, GOAL1.EXE, BBOY.EXE, PIRATE.EXE, BABY.EXE, VIDEO.EXE,
GOAL.EXE, COPIER.EXE, THEOBBQ.EXE, COOLER1.EXE, PANTHR.EXE, COOLER3.EXE,
CHESTBURST.EXE, G-ZILLA.EXE.
The subject of the infection mail is "Just
for your eyes" or "Re: Just for your eyes". The mail may
content text or not. If the attached EXE-File is executed, the worm will get
control to your PC.
Payload:
If the worm is executed, it copies itself into the Windows-directory using
its current name mentioned above. Then it registrates its copy in the registry
editor under the key
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
with different entries (respectively to the filename) and the value
"C:\WIN\EXE-Filename /x". This entry takes care for the
execution of the virus at every systemstart. After this the worm shows the
following message on the screen:
The dynamic link library giface.dll
could not be found in specified path
D:\SAMPLES;C:\WINDOWS\SYSTEM;C:\WINDOWS;C:\WINDOWS\COMMAND
which is intended to mask its existence and lead to a restart.
Further it creates and initializes the following registry keys under HKEY_CURRENT_USER\Software\Microsoft\Windows:
itn = , cat = , cd = , lk= , lms= , mda= , mde= .
The wormn registrates itself as a service and so it is executed unvisible at
every start. Here it searches on every harddisk drive for internet-files (MS Mail, Outlook Express, Netscape Navigator etc.)
and opens these files and sends itself to the found emailadresses.
Removal:
To remove the virus from your PC, you must delete the 'Run'-entry in
the registry and thereafter remove the infected files. Norton Anti Virus offers
an update. Download it: Download
Virus Definition Updates
Remarks:
The worm deletes itself at June, the 12th in 2000 by removing the 'Run'-value
from the registry, After this it will not be executed when you start the
computer. If the date-value is set to a value before 06/12/2000, an infected
EXE-file can restart an infection on your PC.
Copyright
by All-About-PC. All rights reserved.
All information on this website is protected by international law. Any
reproduction or publication without the agreement of the editorial
office is prohibited. Please respect the work of others.
Although all information on this website is hardly recherched and
mostly checked and confirmed from secondary side, we do not take the
responsibillity for any damage originated from the use of the
information on our site. |