W32.NewApt.Worm


Aliases: I- Worm.NewApt.a, W32/NewApt.worm.gen@MM, WORM_NEWAPT.A, W32/NewApt-A, Win32.NewApt.Family
Variants: NewApt.c, NewApt.d, NewApt.b

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Fast
Geographical info: Europe, North and South America, and some parts of Asia and Australia
Removal: Easy
Platform: W32
Discovered: 14 Dec 1999
Damage: Low

Characteristics: W32.NewApt.Worm is spread by email. Like many other worms, it has its own SMTP email engine to transmit itself. The worm continuously browses for several files on the hard disk in order for it to locate email address to which it sends itself. The worm continuously tries to email itself to others by using addresses found within MS Mail, MS Outlook, Netscape Navigator, and other Internet-related programs. The subject of the email states, "Just for your eyes."

More details about W32.NewApt.Worm

The message body of the email it sends contains this text stating “he, your lame client cant read HTML, haha. click attachment to see some stunningly HOT stuff” and “Hypercool Happy New Year 2000 funny programs and animations...We attached our recent animation from this site in our mail! Check it out!”The name of the attachment varies to these files, g-zilla.exe, cooler3.exe, cooler1.exe, copier.exe, video.exe, pirate.exe, goal1.exe, hog.exe, party.exe, saddam.exe, monica.exe, boss.exe, farter.exe, cheeseburst.exe and panther.exe. All platforms of Windows Operating System can be affected by this virus. The worm also tried to delete itself from the registry keys when certain other conditions are fulfilled. This may not always happen. Another version of this worm contains filenames that means sexual orientations or acts. With this, it connects and transmits hard core porn pictures related to children and animals. This was sent to businesses addresses. It also has remote capabilities which attempt to make a connection to a corporate website every three seconds. This is the worm’s payload which is triggered at midnight of Dec 25, 1999.

It is possible that W32.NewApt.Worm program could arrive as an attachment to spam email. The subjects of these spam email are usually written in such a way as to induce the target victim to open it. Once the attachment is clicked on, it is possible for the program to unpack itself and initiate its programmed activities. It is believed that upon activation, this program will attempt to render the security programs inoperative and insert entries into the registry to enable its automatic activation upon start-up. It also makes a duplicate of itself and places it inside the Windows System directory.