[All About PC] Virus NewApt

Latest Reviews

ABIT VP6

ASUS A7V133

EPOX 8KTA3+

DEEP OCEAN SCREEN SAVER

Reviews

Mainboards:
	EPOX 8KTA3+
	ASUS A7V133
	ABIT VP6
	PC133 ON BX-BOARDS
Graphics Cards:
	ABIT SILURO T400
CD-ROM:
	ASUS CD-S500/A
	TEAC CD-540E
	MITSUMI FX 4820
CD-Writers:
	PLEXWRITER 12/10/32A
	MITSUMI CR-4805TE
	MITSUMI CR-4804TE
	LG CED-8042B
Software:
	DEEP OCEAN SCREEN SAVER

Virus Descriptions

	LOVELETTER
	PLAGE2000
	W32/MELTING
	W32/MYPICS
	W32/NEWAPT
	W32/PRETTY
	BABYLONIA
	SANTANA
	W97M/LENNI
	W97M/MELISSAT
	W97M/MICHAEL-B
	W97M/PRILISSA
	FUNLOVE
	WIN95.SMASH

Danger
Diffusion

The NewApt-virus will kindly remove itself in June 2000.

W32.NewApt.worm:

Virus name	W32/NewApt.worm
Type	Internet worm
Aliases	Worm.NewApt

Infection:
The worm is sighted 'in the wild' in states of europe, america and asia. It diffuses (naturally) with emails in an infected attachment. The known filenames of the attchment are:

PANTHER.EXE, FARTER.EXE, GADGET.EXE, BOSS.EXE, IRNIGANT.EXE, MONICA.EXE, CASPER.EXE, SADDAM.EXE, FBORFW.EXE, PARTY.EXE, CUPID2.EXE, HOG.EXE, GOAL1.EXE, BBOY.EXE, PIRATE.EXE, BABY.EXE, VIDEO.EXE, GOAL.EXE, COPIER.EXE, THEOBBQ.EXE, COOLER1.EXE, PANTHR.EXE, COOLER3.EXE, CHESTBURST.EXE, G-ZILLA.EXE.

The subject of the infection mail is "Just for your eyes" or "Re: Just for your eyes". The mail may content text or not. If the attached EXE-File is executed, the worm will get control to your PC.

Payload:
If the worm is executed, it copies itself into the Windows-directory using its current name mentioned above. Then it registrates its copy in the registry editor under the key
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
with different entries (respectively to the filename) and the value "C:\WIN\EXE-Filename /x". This entry takes care for the execution of the virus at every systemstart. After this the worm shows the following message on the screen:

The dynamic link library giface.dll could not be found in specified path
D:\SAMPLES;C:\WINDOWS\SYSTEM;C:\WINDOWS;C:\WINDOWS\COMMAND

which is intended to mask its existence and lead to a restart.
Further it creates and initializes the following registry keys under HKEY_CURRENT_USER\Software\Microsoft\Windows:
itn = , cat = , cd = , lk= , lms= , mda= , mde= .
The wormn registrates itself as a service and so it is executed unvisible at every start. Here it searches on every harddisk drive for internet-files (MS Mail, Outlook Express, Netscape Navigator etc.) and opens these files and sends itself to the found emailadresses.

Removal:
To remove the virus from your PC, you must delete the 'Run'-entry in the registry and thereafter remove the infected files. Norton Anti Virus offers an update. Download it: Download Virus Definition Updates

Remarks:
The worm deletes itself at June, the 12th in 2000 by removing the 'Run'-value from the registry, After this it will not be executed when you start the computer. If the date-value is set to a value before 06/12/2000, an infected EXE-file can restart an infection on your PC.

Copyright by All-About-PC. All rights reserved.
All information on this website is protected by international law. Any reproduction or publication without the agreement of the editorial office is prohibited. Please respect the work of others.
Although all information on this website is hardly recherched and mostly checked and confirmed from secondary side, we do not take the responsibillity for any damage originated from the use of the information on our site.