W32/Aplore-A

Name: W32/Aplore-A
Type: Win32 worm
Date: 9 April 2002

At the time of writing Sophos has received just one report of
this worm from the wild.


Description:

W32/Aplore-A is a Win32 worm which uses Microsoft Outlook to
spread. It copies itself into the Windows system directory as
explorer.exe and psecure20x-cgi-install6.01.bin.hx.com and adds
the following value to the registry to run itself on Windows
startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer =
"<windows system folder>\explorer.exe"

When run, the worm drops and runs the VBScript email.vbs which
attempts to send an email with the worm files attached to all
contacts from the Outlook address book.

The emails will have the following characteristics:

Subject line:
.
Message body:
.
Attached file:
psecure20x-cgi-install.version6.01.bin.hx.com


W32/Aplore-A also contains an IRC client and an HTTP server.
Before the internal web server is started, the worm drops the
file index.html which acts as a homepage for the server. When
the server is started, it listens for a connection on port 8180.

The IRC client attempts to connect to an IRC server and join
several channels with a nickname randomly chosen from a list of
female names stored in the worm code. The worm sends messages
containing a link to the infected machine's web server to the
IRC channels. The messages sent to the IRC channel contain the
text "FREE PORN:" and the IP address of the infected machine.

If a user attempts to connect to the server then the server
sends the previously dropped index.html.

Read the analysis at
http://www.sophos.com/virusinfo/analyses/w32aplorea.html