W32/Aplore@MM Last Updated 4/10/02 4:06pm

A new email worm W32/Aplore@MM has been detected in the wild. This worm also spreads via Internet Relay Chat (IRC) and AOL Instant Messenger (AIM).

The email version of the worm arrives as follows:

The subject of the email is:
.

(note: The subject is a period only)

The message body is:
.

(note: The body is a period only)

The attachment is:
psecure20x-cgi-install.version6.01.bin.hx.com

The IRC/AIM version of the worm arrives as message with a hyperlink to the infected client's machine.

The IRC message appears as the following:

FREE PORN: http://free:porn@(infected system's IP address):8180

The AIM message appears as one of the following variations:

• btw, download this, (infected system's IP address):8180
• I wanted to show you this, (infected system's IP address):8180
• please check out, (infected system's IP address):8180
• hey go to, (infected system's IP address):8180
• see if you can get this to work, (infected system's IP address):8180
• this is cool, (infected system's IP address):8180
• tell me what you think about, (infected system's IP address):8180
• try this, (infected system's IP address):8180
• I almost forgot about, (infected system's IP address):8180
• I like this, (infected system's IP address):8180
• what about, (infected system's IP address):8180
• have you seen, (infected system's IP address):8180
• interestin, (infected system's IP address):8180
• lol, (infected system's IP address):8180
• wow, (infected system's IP address):8180
• whoa, (infected system's IP address):8180
• neat, (infected system's IP address):8180
• cool, (infected system's IP address):8180
• hmm, (infected system's IP address):8180
• psst, (infected system's IP address):8180
• hehe, (infected system's IP address):8180
• haha, (infected system's IP address):8180
• silly, (infected system's IP address):8180
• weird, (infected system's IP address):8180

When the attachment is executed the worm sends itself out to everyone in the infected client's address book. The worm creates a registry entry to load itself at startup.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Explorer=C:\WINDOWS\SYSTEM\EXPLORER.EXE

The worm saves a copy of itself to the windows system directory as explorer.exe

The worm also attempts to connect to IRC.DAL.NET and send itself to everyone who connects to the channel. The worm also ties itself to the AIM client if it is installed. When the AIM client connects to the AIM service it will attempt to send one of the above messages to everyone in the client's buddy list.

If the hyperlink is clicked the link will connect to the infected machine on port 8180. A web page will be displayed:

Browser Plugin Required:


You may need to restart your browser for changes to take affect.
Security Certificate by Verisign 2002.
MD5: 9DD756AC-80E057FC-E00703A2-F801F2E3

Click HERE and choose "Run" to install.

Also a prompt will appear asking to "Run the file from its current location", or "Save this program to disk".

NAI has released DAT 4196which will detect and remove this worm.

For more information see http://vil.nai.com/vil/content/v_99437.htm from NAI regarding W32/Aplore@MM

Do Not Open The Attachment!

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.