My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Apost.A@mm

LOW
LOW
24576 bytes
(I-Worm.Apost)

Symptoms

  • the readme.exe file in the Windows ( C:\Windows or C:\Winnt ) folder.

  • the following registry key:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\macrosoft with the value
    "%windir%\readme.exe" where %windir% is C:\Windows or C:\Winnt.
  • Removal instructions:

    1. If you don't have BitDefender installed click here to download an evaluation version.

    2. Make the following changes in the windows registry:

      Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

      1. Select Run... from Start, then type regedit and press Enter;
      2. Delete the following key:
        HKEY_LOCAL_MACHINE\Software\Microsoft\Windows \CurrentVersion\Run\macrosoft

    3. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Apost.A@mm.

    Analyzed By

    Costin Ionescu BitDefender Virus Researcher

    Technical Description:

    This virus is an Internet Worm working on Windows systems. It spreads through e-mails as an attached file and is activated when the user executes the attachment.

    When is executed the virus copies itself in the root of every drive (including floppy-disk) under the name readme.exe. Also it copies itself in the Windows directory and sets the following registry key to be executed at every startup:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\macrosoft with the value
    %windir%\readme.exe where %windir% is C:\Windows or C:\Winnt.

    After this, it uses MAPI (Mailing Aplication Programming Interface) to send an e-mail to every contact in the user\'s Address Book and sets Outlook to erase these messages after they are sent.

    The mail looks like this:
    Subject: As per your request!
    Body:
    Please find attached file for your review.
    I look forward to hear from you again very soon. Thank you.

    Attachment: readme.exe

    An example of this type of e-mail is:



    After this spreading routine, the virus displays the following window, waiting for the user to click the button Open:



    When the user click the button, it shows a fake error message:



    Also the virus executes again the spreading routine and copies itself again and send again the e-mails.