My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Aplore.A@mm

HIGH
LOW
319488 bytes
(W32.Aphex.A@mm)

Symptoms

- File explorer.exe and psecure20x-cgi-install.version6.01.bin.hx.com in the system directory (usually
C:\Windows\System or C:\Winnt\System32)
- Files aphex.jpg and index.htm
in the System directory.

Removal instructions:

If you don't have BitDefender installed click here to download an evaluation version.

1. Make sure that you have the latest updates using BitDefender Live!;

2. Make the following changes in the windows registry:

Please make sure to modify only the values that are specified. It is also recommended to backup the Windows Registry before proceeding with these changes.
a) Select Run... from
the Start menu, then type regedit and press Enter;
b) Go to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and delete (from the right pane)the Explorer  "%System%\Explorer.exe" value.

c) Restart your computer;

3. Perform a full scan of your system (selecting, from the Action tab, the option \"Prompt
user for action\").
  Choose to delete all the files infected with Win32.Aplore.A@mm.

Analyzed By

Costin Ionescu BitDefender Virus Researcher

Technical Description:

This virus is an Internet worm written in
Delphi
and packed with UPX.
The original file size is about 690 Kbytes.
The virus comes as an attached file in an e-mail with this form:

Subject: . (a single dot)
Body: . (a single dot)
Attachment: psecure20x-cgi-install.version6.01.bin.hx.com


When the user executes the attachement it copies itself in the system
directory as explorer.exe and as
psecure20x-cgi-install.version6.01.bin.hx.com.
It adds the value :

Explorer
"%System%\Explorer.exe" (where
%System% is the Windows
System
directory)
to
the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.


It drops a small VBS
file which contains the script to send itself to all contacts from Outlook Address
Book using Microsoft Outlook. The e-mail has the format shown above.
The script is executed by the virus, and is deleteing itself after trying to send
the e-mails.

Also in the system directory
it drops a file index.html which
contains a link to the file psecure20x-cgi-install.version6.01.bin.hx.com
which will try to be automatically executed. The page looks like this:




Beside these files it creates a file aphex.jpg:



It tries to connect to the IRC (Internet Relay Chat) server irc.dal.net
to send itself to other people.
The nickname is chosen from a huge list of names stored in the virus body.


Also it contains a FTP server component which probably can be used as a backdoor.
If a component fails
to run proper it may display the following error message several times: