Name: W32/Aplore-A Type: Win32 worm Date: 9 April 2002 At the time of writing Sophos has received just one report of this worm from the wild. Description: W32/Aplore-A is a Win32 worm which uses Microsoft Outlook to spread. It copies itself into the Windows system directory as explorer.exe and psecure20x-cgi-install6.01.bin.hx.com and adds the following value to the registry to run itself on Windows startup: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer = "<windows system folder>\explorer.exe" When run, the worm drops and runs the VBScript email.vbs which attempts to send an email with the worm files attached to all contacts from the Outlook address book. The emails will have the following characteristics: Subject line: . Message body: . Attached file: psecure20x-cgi-install.version6.01.bin.hx.com W32/Aplore-A also contains an IRC client and an HTTP server. Before the internal web server is started, the worm drops the file index.html which acts as a homepage for the server. When the server is started, it listens for a connection on port 8180. The IRC client attempts to connect to an IRC server and join several channels with a nickname randomly chosen from a list of female names stored in the worm code. The worm sends messages containing a link to the infected machine's web server to the IRC channels. The messages sent to the IRC channel contain the text "FREE PORN:" and the IP address of the infected machine. If a user attempts to connect to the server then the server sends the previously dropped index.html. Read the analysis at http://www.sophos.com/virusinfo/analyses/w32aplorea.html