Win32:Apost
is another Internet worm created in Visual Basic. It arrives in the e-mail message as an attachment called README.EXE. The message has the following characteristics:Subject:
As per your request!
Message Body:
Please find attached file for your review.
I look forward to hear from you again very soon. Thank you.
Attachment: README.EXE (24,576 bytes)
When executing, the worm checks if the README.EXE file is present in the Windows directory. If not, the worm copies itself to that directory. Then it copies such README.EXE file to the root of all local drives and creates a registry key to tun this program at computer startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ macrosoft= C:\WINDOWS\Readme.exe
The worm sends a copy of itself to every address in the MS Outlook Address Book and then displays a dialog box titled "Urgent!". This dialog box contains only the large button labeled "Open".
When this button is pressed, the worm displays an error message box titled "WinZip SelfExtractor: Warning" and containing the error message "CRC error: 34#". Then the worm terminates itself.
Please note that the worm does not check the README.EXE file. So if such file is present before the virus activation, the worm can send this benign file instead of itself. Such files are not infected by this worm (but of course they could be infected by other virus or they can contain a trojan).
Removal:
- Delete the registry key mentioned above
- Restart the computer
- Delete the README.EXE file from the Windows directory and from the root directory of all local drives
