Threat Center Threats Explained Threat Encyclopedia Threat Blog Security Tips Case Studies White Papers Newsletter Signup
 

Win32 Worm Apost.A


Win32/Apost.A is a worm written in Visual Basic.  To function it needs the runtime library MSVBVM60.DLL to be installed on the computer.  The worm spreads as an email attachment.  Win32/Apost.A arrives in a message with the subject "As per your request!,." with a file readme.exe 24576 bytes in size as an attachment.  The body of the message is formed by the following text:

Look forward to hear from you again very soon. Thank you.

Note: In following text a symbolic inscription %windir% is used instead of name of the directory in which the Windows operating system is installed.  Naturally, this can be different in any installation.

The worm is activated when file readme.exe is run. This causes it to be copied as file readme.exe into directory %windir%.  It creates a registry run key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\macrosoft and sets its value on the created worm copy.  By that the worm ensures its activation after each restart.  The worm also copies itself into the root directory on each accessible local and shared disk, as well as into the root directory of exchangeable media.  It then displays a window with a title "Urgent!".  In it there is only one button with text "Open".  After clicking on the button the worm will display a window with a false error announcement and will cease its activity.  The error announcement looks like this:




PROTECT YOUR COMPUTER!
ESETs NOD32 antivirus software provides comprehensive, easy-to-use, and affordable protection from todays and tomorrows threats. We put the malware expert inside the software, so you don’t have to become one.

DOWNLOAD ESET NOD32 ANTI VIRUS SOFTWARE

 

 
Top of Page Back One Page Print this Page