Email-Worm.Win32.Apost

Class Email-Worm
Platform Win32
Description

Technical Details

This is a virus-worm that spreads via the Internet as an attachment to
infected e-mails. Also known as Readme. The worm itself is a Windows PE EXE file about 25Kb in length and written in Visual Basic Script.

The infected messages contain the following:

Subject: As per your request!
Attach: README.EXE
Body:
Please find attached file for your review.
I look forward to hear from you again very soon. Thank you.


������ ���������

The worm activates from infected e-mail only in the case when a user clicks on
the attached file. The worm then installs itself to the system, runs the spreading
routine, and displays two fake messages:


������ ���������


������ ���������

While installing, the worm copies itself to the Windows directory with the
README.EXE name and registers that file in the system registry auto-run key:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun
macrosoft = README.EXE

To send infected messages, the worm uses MS Outlook and sends messages to all
addresses found in the Outlook address book.

The worm also copies itself to the root directory of all local fixed and remote
(network) drives with the same README.EXE name.