Prevent Online Threats
« Worm.Terno
Worm.Win32.Autoroote »

Worm.Win32.Apar

Details
Worm.Win32.Apart
Apart is a network worm with backdoor abilities. The worm itself is a Windows PE EXE file written in Delphi. Depending on the version the worm is either 43KB or 56KB in length and is compressed by TeLock or UPX (the decompressed size is about 90KB).
“Apart.b” was posted to IRC channels in the middle of August 2002 as a
“NEW NUDE BRITNEY SPEARS SCREEN SAVER!”
Installing
While installing the worm copies itself to the Windows system directory under the “kernel32.dll*” name and sets “hidden” attribute for this file (here and below the * (star) character is A0h in hex). The following file is then registered in the system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Kernel = %SystemDir%\KERNEL32.DLL*

The worm also creates the
HKCR\.dll*
key associated with the “exefile” file type. Thus .DLL* files will be executed as original .EXE files.
The worm then removes its original file (from there it was started), opensINet connection and “listens” to its master.
Spreading
By its “master’s” request (see “Backdoor” below) the worm spreads through local networks. It opens network drives that are opened for full access and copies itself to the \WINDOWS\Start Menu\Programs\StartUp\ directory under the name:
Windows.exe
Backdoor
The backdoor routine allows a remote “master” (person controlling the virus program) to perform following actions:
send detailed computer information: drivers description, local date and time, default language, computer name, CPU speed and number of processors, RAM size,Windows version e.t.c.
steals cached passwords, MSN account, password and .NET Messenger information as well.
Apart also performs the following routines:

spread over local network
reveive file or download file from Web site
execute a file
perform DoS attack on remote computer
ping a remote computer
scan ports and IP addresses
redirect PC ports
send spam messages through AOL Instant Messenger and to a mIRC channel
Other
The worm contains the following “copyright” text string:
Apartheid v.2.0

Related Posts

  • IM-Worm.Win32.Bropia.a
  • Email-Worm.Win32.Bagle.c
  • Worm.Win32.VB.a
  • Email-Worm.Win32.Sober
  • Email-Worm.Win32.Doombot

    • This entry was posted on Sunday, August 24th, 2008 at 7:50 am and is filed under Virus Threats.

    Leave a Reply

    Spyware Removal Spyware Protection Tools