Aliases: [email protected], Bloodhound.VBS.Worm, W32/Aplore-A, I-Worm.Aplore, W32/
[email protected]
Variants: W32/Explorer, WORM_APLORE.A, Win32.Aphex, Aplore
Classification: Malware
Category: Computer Worm
Status: Active & Spreading
Spreading: Fast
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 08 Apr 2002
Damage: Low
Characteristics: The
[email protected] program belongs to a group of mass mailing Worms which is capable of taking advantage of the functionalities of the AOL Instant Messenger client. Using its built-in Web server, it attempts to persuade Internet Relay Chat users into executing it in order to deploy its payload.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
RECOMMENDED:
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean
[email protected] from your computer.
The Psecure20x-cgi-install.version.6.01.bin.hx.com file serves as the trigger file for this Worm which also installs the Explorer.exe file in the System folder of the Windows directory. An accompanying Windows Registry is also created to allow the
[email protected] program to launch automatically at every boot up or restart process of the infected computer system. The Email.vbs file is created by the malware and makes use of the functionality of the Microsoft Outlook application to spread its codes via email messaging. The trigger file is used as a file attachment for the sent email message. An Index.html file is created in the System folder of the Windows directory to execute a refresh tag which will launch the trigger file. An error message is then displayed by the
[email protected] malware informing the computer user that a necessary browser plug-in must be installed. The file Aphex.jpg is then created in the Windows directory by this malware.
Once the Worm has successfully established itself in the compromised machine, it remains in the system background waiting for the computer user to launch the AOL IM client. The
[email protected] malware plays the role of an HTTP server by utilizing the TCP communication port 8180. It allows the malware to host a single Web page that contains a message prompting the computer user to restart the Web browser. When the
[email protected] detects the activation of the AOL client, it sends a one line message with a link to a malicious website. This Worm does not function with the standalone version of the AOL IM client.