W32/Appix-B

Discussion in 'malware problems & news' started by Technodrome, Oct 16, 2002.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    W32/Appix-B is a virus that arrives in an email with the following characteristics:

    Subject line:
    Begins with one of-

    A nice Screensaver of
    Ein netter Screensaver von
    New Version of
    Eine neue Version von

    Followed by one of -

    BestTool
    Pamela Anderson
    Angelina Jolie
    Anna Kournikova
    Porn Screensaver
    Sex ScreenSaver
    TvTool
    Flashget
    WarezBoardAccess
    Undelivarable Email
    Brute Force Tool

    Attached file:

    Chosen from -

    PamAnderson.scr
    Jolie.scr
    AnnaKournikova.scr
    XXX.scr
    FreeSex.exe
    TvTool.exe
    FlashGet.exe
    WarezBoardAccess.exe
    Undelivarablemail.exe

    The virus attempts to exploit a MIME Vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer to allow the executable file to run automatically without the user double-clicking on the attachment.

    When the virus is executed it creates a copy of itself in the Windows folder called Appboost.exe and changes the registry by setting the following entry to point to Appboost.exe so that this file will be executed every time an EXE file is run:

    HKLM\Software\Classes\exefile\shell\open\command

    W32/Appix-B attempts to stop the following services:

    ANTIVIR
    AVP32
    AVPCC
    NOD32
    NPSSVC
    NRESQ32
    NSCHED32
    NSCHEDNT
    NSPLUGIN
    NAV
    NAVA
    PSVC
    NAVAPW32
    NAVLU32
    NAVRUNR
    NAVW32
    AVPM
    ALERTSVC
    AMON
    N32SCANW
    NAVWNT
    AVPUPD
    AVGCTRL
    AVWIN95
    SCAN32
    VSHWIN32
    F-STOPW
    F-PROT95
    ACKWIN32
    VETTRAY
    SWEEP95
    PCCWIN98
    IOMON98
    AVPTC
    AVE32
    AVCONSOL
    FP-WIN
    DVP95
    F-AGNT95
    CLAW95
    NVC95
    SCAN
    VIRUS
    LOCKDOWN2000
    NORTON
    MCAFEE
    ANTIVIR
    FIREWAL
    VET95
    SAFEWEB
    WEBSCANX
    ICMON
    CFINET
    AVP.EXE
    ZONEALARM
    AMON.EXE
    PCCIOMON
    PCCMAIN
    POP3TRAP
    WEBTRAP
    AVSYNMGR
    NMAIN
    LUALL
    LUCOMSERVER
    IAMAPP
    ATRACK
    IAMSERV
    PCFWALLICON
    TDS2-98
    TDS2-NT
    VSECOMR
    NISSERV
    NISUM
    F-PROT
    AOL

    This virus may also infect PHP and PHTML files by adding code that is intended to spread via PHP, PHTML, HTM and HTML files.

    Microsoft has issued a patch which secures against the incorrect MIME header vulnerability which can be downloaded from http://www.microsoft.com/technet/security/bulletin/MS01-027.asp
    (This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this virus.)


    source: http://www.sophos.com



    Technodrome
     
Thread Status:
Not open for further replies.