the readme.exe file in the Windows ( C:\Windows or C:\Winnt ) folder.
the following registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\macrosoft with the value
"%windir%\readme.exe" where %windir% is C:\Windows or C:\Winnt.
- If you don't have BitDefender installed click here to download an evaluation version.
- Make the following changes in the windows registry:
Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.
- Select Run... from Start, then type regedit and press Enter;
- Delete the following key:
- Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Apost.A@mm.
Costin Ionescu BitDefender Virus Researcher
This virus is an Internet Worm working on Windows systems. It spreads through e-mails as an attached file and is activated when the user executes the attachment.
When is executed the virus copies itself in the root of every drive (including floppy-disk) under the name readme.exe
. Also it copies itself in the Windows directory and sets the following registry key to be executed at every startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\macrosoft
with the value %windir%\readme.exe
After this, it uses MAPI (Mailing Aplication Programming Interface) to send an e-mail to every contact in the user\'s Address Book and sets Outlook to erase these messages after they are sent.
The mail looks like this: Subject: As per your request! Body: Please find attached file for your review.
I look forward to hear from you again very soon. Thank you. Attachment: readme.exe
An example of this type of e-mail is:
After this spreading routine, the virus displays the following window, waiting for the user to click the button Open:
When the user click the button, it shows a fake error message:
Also the virus executes again the spreading routine and copies itself again and send again the e-mails.