[email protected]

Aliases: [email protected], Bloodhound.VBS.Worm, W32/Aplore-A, I-Worm.Aplore, W32/[email protected]
Variants: W32/Explorer, WORM_APLORE.A, Win32.Aphex, Aplore

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 08 Apr 2002
Damage: Low

Characteristics: The [email protected] program belongs to a group of mass mailing Worms which is capable of taking advantage of the functionalities of the AOL Instant Messenger client. Using its built-in Web server, it attempts to persuade Internet Relay Chat users into executing it in order to deploy its payload.

More details about [email protected]

The Psecure20x-cgi-install.version.6.01.bin.hx.com file serves as the trigger file for this Worm which also installs the Explorer.exe file in the System folder of the Windows directory. An accompanying Windows Registry is also created to allow the [email protected] program to launch automatically at every boot up or restart process of the infected computer system. The Email.vbs file is created by the malware and makes use of the functionality of the Microsoft Outlook application to spread its codes via email messaging. The trigger file is used as a file attachment for the sent email message. An Index.html file is created in the System folder of the Windows directory to execute a refresh tag which will launch the trigger file. An error message is then displayed by the [email protected] malware informing the computer user that a necessary browser plug-in must be installed. The file Aphex.jpg is then created in the Windows directory by this malware.

Once the Worm has successfully established itself in the compromised machine, it remains in the system background waiting for the computer user to launch the AOL IM client. The [email protected] malware plays the role of an HTTP server by utilizing the TCP communication port 8180. It allows the malware to host a single Web page that contains a message prompting the computer user to restart the Web browser. When the [email protected] detects the activation of the AOL client, it sends a one line message with a link to a malicious website. This Worm does not function with the standalone version of the AOL IM client.