W32-NewApt.worm - I recv’d it through e-mail on a
W32/NewApt.worm
Scan
Now Install
ActiveShield Update
VirusScan Create
Rescue Disk Virus
Info Free Virus
News Virus
Glossary Virus
Calendar Virus
Hoaxes Report
A Virus
Search McAfee.comMcAfee StoreVirus Library Search
Tips
My Account Info
VIRUS ALERT
W32/NewApt.worm is a new High Risk worm that arrives via email.
Update VirusScan.
Virus Information Library
Find Viruses Alphabetically
A | B | C | D | E | F | G H | I | J | K L | M | N | O P | Q |
R | S | T | U | V W | X | Y | Z | 0-9 And
Special Characters
• Search Help
Search for Viruses
Limit search to:
AllFile InfectorHTMLINFMacroBoot Rec/SecMulti
PartiteMacintoshVBScript
FREE Virus News!
Virus Profile
Virus Name
W32/NewApt.worm
Date Added
12/15/99
Virus Characteristics
This worm has been reported to AVERT in several countries
during the week of December 13, 1999. The file may be received by email with a
size of 69,632 bytes. The worm arrives by email and depending on if the email
application supports HTML email body content or not, one of two messages is
displayed. If HTML is supported, the message content looks like this:
—————————————————————
Hypercool Happy New Year 2000 funny programs and animations…
We attached our recent animation from this site in our mail !
Check it out
—————————————————————
If the email client does not support HTML, the email message
will have this content:
—————————————————————
he, your lame client cant read HTML, haha. click attachment to
see some stunningly HOT stuff
—————————————————————
The email contains an attachment of a randomly selected name
from the following list:
baby.exe
bboy.exe
boss.exe
casper.exe
chestburst.exe
cooler1.exe
cooler3.exe
copier.exe
cupid2.exe
farter.exe
fborfw.exe
goal.exe
goal1.exe
g-zilla.exe
irngiant.exe
hog.exe
monica.exe
panther.exe
panthr.exe
party.exe
pirate.exe
s.exe
saddam.exe
theobbq.exe
video.exe
The dinamic link library giface.dll could not be found in the
specified path (list of directory names)
The list of directory names are taken from they system
environment variable "path" which is set in AUTOEXEC.BAT in Windows 9x and also
configurable in Windows NT through the control panel. Note the misspelling of
the word "dinamic".
The machine is then checked for the installation of MS Outlook
Express. If found, two files are written in the c:\windows folder
mma. - contains a listing of email addresses
mmail. - contains the directory of MS Outlook Express
The list of email addresses is captured by checking all
folders in Outlook Express for email messages received!
A file is then saved to the Windows folder and the registry is
modified to load the file at the next Windows startup with a command line option
of "/x". For example, if the executable "chestburst.exe" is run, the registry
entry would look like this on a Windows 95 system:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tpawen =
c:\windows\chestburst.exe /x
On the next Windows startup, the file is loaded. When the worm
loads into memory, it waits for an unspecified amount of time and then sends an
email message to one of the listed entries from the file "mma." with the format
mentioned at the beginning of this description.
While the worm is active on Windows 9x system, the following
DLLs are implemented:
C:\WINDOWS\SYSTEM\WSOCK32.DLL
C:\WINDOWS\SYSTEM\WININET.DLL
C:\WINDOWS\SYSTEM\SHLWAPI.DLL
C:\WINDOWS\SYSTEM\USER32.DLL
C:\WINDOWS\SYSTEM\GDI32.DLL
C:\WINDOWS\SYSTEM\ADVAPI32.DLL
C:\WINDOWS\SYSTEM\KERNEL32.DLL
When an email application such as MS Outlook is in use, the
additional DLL loaded is TAPI32.DLL.
At this time, AVERT is analyzing the distribution method for
this worm. Strings within the executable suggest that it uses information stored
in the file "prefs.js" which is a reference to Netscape.
————————————————————–
Send This Virus Information To A Friend?
————————————————————–
Indications Of Infection
Existence of this file on the local system - modifications to
the system registry as mentioned above - email mailings as mentioned above.
Method Of Infection
Running the executable will directly copy itself and run the
mailing routine.
EXTRA Drivers
VirusScan 4 with the 4.0.25 engine (and above) download here.
Dr. Solomon’s AVTK 7.99 (and above) download here.
VirusScan 3x download here.
Removal Instructions
Use specified engine and DAT files for detection and removal.
Virus Information
Discovery Date: 12/14/99
Type: Virus
SubType: worm
Risk Assessment: High
Risk Justification
Not available
Variants
Unknown
Aliases
I-Worm/MesMate, TROJ_NEWAPT.WORM, W32.NewApt.worm,
W32/NewApt.worm
Minimum Dat
4058
Minimum Engine
4.0.25
————————————————————–
Send This Virus Information To A Friend?
————————————————————–
Powered by
What people are saying about McAfee.com
"Your products are absolutely cool! I’ve already installed 3 of your
products, namely McAfee Nuts & Bolts 98, McAfee VirusScan, and McAfee
UnInstaller. I loved all your products. Keep up the good work!"
—Arvind Maiya
FREE Online File Storage | Best Peripheral Prices | Virtual Bookstore |
FREE Email And More | Personal Browser
Products | About Us | Press/News | Advertising | Partners | Affiliates
| Jobs | Site Index
Copyright 1999 McAfee.com Corporation / All Rights Reserved Please read
our Privacy Policy.