LHRIC > Technical Services > Virus Alert

	TECHNICAL SERVICES
	home \| search \| contact \| Virus Central
	Providing timely, reliable & cost-effective technical support

Virus Central - Detailed

Virus Information
Name:	W32/APost@MM
Aliases:	I-Worm.Readme, W32.Urgent.Worm@mm, W32/Apost-A, W95/Urquest.24576, Win32/Yoview.A@mm
Type:	Virus
Discovery Date:	09/03/2001
Detection:	Presence of README.EXE (24,576) in root directory of local drives and in WINDOWS directory.
Virus Description:	This virus arrives as an email attachment. Executing this attachment infects the local system which is then used to propagate the virusfurther.
E-mail Subject:	As per your request!
E-mail Body:	Please find attached file for your review. I look forward to hear from you again very soon. Thank you.
Attachment:	README.EXE (24,576 bytes long)

Virus Effects:

--- Update September 04, 2001 ---
AVERT has raised the risk assessment of this threat to Medium on Watch due to numerous confirmed reports from the field.

This threat is detected heuristically as New Backdoor prior to the 4157 DATs (with the 4100-4156 DATs).

This is the only known version of this worm to date. However, users may notice a different size
README.EXE file attached to the message as described below. This is due to the fact that W32/APost@MM sends whichever README.EXE file is found in the WINDOWS directory, even if that file is not the worm. One such file which has been seen is an old Quicktime 2.0 Windows Read Me document, packaged with the Common Ground Mini Viewer (172,067 bytes). The samples received are clean of infection. However, it is important to note that due to this anomaly, other README.EXE files could be sent by this worm, which could possibly be infected with a number of different viruses or trojans.

This worm arrives with an email message containing the following information:

Subject: As per your request!
Body:

Please find attached file for your review.
I look forward to hear from you again very soon. Thank you.

Attachment: README.EXE (24,576 bytes long)

Running the attachment causes the worm to check for the presence of README.EXE in the WINDOWS directory. If one does not exist, the worm copies itself to that directory. Next, it copies whichever README.EXE file is in the WINDOWS directory to the root of all local drives and creates a registry run key to load that program at startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\macrosoft=C:\WINDOWS\readme.exe

The worm sends a copy of itself to every entry in the user's Microsoft Outlook Address Book and then displays a small dialog box titled "Urgent!". This dialog box contains one single large button labeled "Open".

If this button is pressed then the worm sends out further copies of itself and then displays an error message box with the title "WinZip SelfExtractor: Warning" and containing the error message "CRC error: 34#".

After the error message box is acknowledged the worm terminates.

Removal Instructions:

The 4157 DAT files are available here. Users should update immediately. In the event that this is not an option, an EXTRA.DAT file is available in both .DAT and SUPER.DAT format.

Extra.dat
Super Extra.dat (self-installing version of EXTRA.DAT)

Manual Removal Instructions

Delete the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\macrosoft
Here's how (accidentally removing the wrong information from the Registry can cause damage to your system, take exceptional care whenever working in the Registry editor):
- Click START | RUN, type REGEDIT and hit ENTER
- On the left side of the screen, double click on HKEY_CURRENT_USER
- Click the plus sign (+) next to Software
- Click the plus sign (+) next to Microsoft
- Click the plus sign (+) next to Windows
- Click the plus sign (+) next to CurrentVersion
- Click the plus sign (+) next to Run
- On the right side of the screen, highlight the entry "macrosoft" with "C:\WINDOWS\readme.exe" in the data column. Note the "a" in macrosoft
- Press the delete key on the keyboard and confirm the deletion
- Close the registry editor by clicking the plus in the upper right hand corner
Restart the computer
Delete the README.EXE file from the WINDOWS directory as well as from the root directory of all local drives

Additional Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.

Disabling the Restore Utility

1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.