Aliases: W32/[email protected], W32.Appix.Worm, W32.Appix.D.Worm, W32.Appix.B.Worm, W32.Appix.C.Worm
Variants: I-Worm.Apbost.b

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America
Removal: Easy
Platform: W32
Discovered: 17 Sep 2002
Damage: Medium

Characteristics: The eDonkey2000 and KaZaA file sharing networks are commonly targeted by this malware and used as transport mechanisms to spread its codes to other computer systems. The W32.Appix.Worm malware appends its codes to PHTML and PHP format files to infect other PHP, PHTML, HTML, and HTM file types.

More details about W32.Appix.Worm

Aside from file sharing networks, the W32.Appix.Worm program also makes use of the email messaging functionality to spread its codes to other computer systems to deliver its payload. The files Appbsvc.exe and Appboost.exe are extracted by this malware into the Windows directory of the infected computer system. Since this malware allows only a single instance of its process to run in an infected machine, it places the vixsvc or vix mutex to mark a compromised computer system. The Windows Registry key is updated by the malware W32.Appix.Worm in order to allow it to launch whenever an executable file is accessed in the infected system. The Worm also makes use of the Windows Registry to keep track of the time when it was last executed.

Part of the payload delivered by the W32.Appix.Worm program is to disable system critical processes and security programs like antivirus and antispyware applications. The behavior of the firewall service of the Operating System is also affected by this malware. According to previous reports of infections from other computer systems, this malware is capable of creating a new file using the name of popular applications and pretending to be a crack or key generator for the programs. These new files are normally given the zip.exe, ace.exe, rar.exe, exe, .pif, .hta, .bat, or .cmd file extensions by the W32.Appix.Worm malware. The created file is then placed in the Shared folder of the Peer to Peer application to deliver its payload to other networks.