Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Aplore (F-Secure)

• W32.Aphex@mm (Symantec)

• W32/Aplore (Central Command)

• Win32.Aphex (CA)

Characteristics

This is a mass-mailing worm, which spreads via a built-in webserver and lures IRC (Internet Relay Chat) users AIM (AOL Instant Messenger) users into running the worm. When run, it creates a VBScript file, %SysDir%\Email.vbs, that sends itself to all users in the Microsoft Outlook Address Book and closes the Outlook application, and then deletes the script. It arrives in an email message containing the following information:

Subject: .
Body: .
Attachment: psecure20x-cgi-install.version6.01.bin.hx.com

When the attachment is run, the local machine is infected. The worm saves a copy of itself to the WINDOWS SYSTEM directory as EXPLORER.EXE and creates a registry run key to load itself at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\Explorer=C:\WINDOWS\SYSTEM\EXPLORER.EXE

The file, "psecure20x-cgi-install.version6.01.bin.hx.com", is moved to the SYSTEM directory and a 0 byte file, IPHIST.DAT is left in the directory where the file was run from. APHEX.JPG, HWND32.DLL, and INDEX.HTML are saved into the SYSTEM directory.

The worm connects to an IRC server, IRC.DAL.NET, and sends a message to users who join the channel that the worm has connected to (message sent):

FREE PORN: http://free:porn@(infected system's IP address):8180

When a user clicks on the real hyperlink (not the one listed here), the infected system serves the INDEX.HTML webpage, which self refreshes to run the worm. This results in the user being prompted to "Run the file from its current location", or "Save this program to disk". The HTML page also displays the text:

Browser Plugin Required:


You may need to restart your browser for changes to take affect.
Security Certificate by Verisign 2002.
MD5: 9DD756AC-80E057FC-E00703A2-F801F2E3

Click HERE and choose "Run" to install.

In a similar fashion, the worm hooks AOL Instant Messenger client Windows such that whenever an AIM users sends a message, the recipient will receive the following message instead:

User: cool, (infected system's IP address):8180

Note: the word "cool," may be replaced with any of the following words/phrases

• btw, download this,
• I wanted to show you this,
• please check this out,
• hey go to,
• download this,
• see if you can get this to work,
• this is cool,
• tell me what you think about,
• try this,
• I almost forgot about,
• I like this,
• what about,
• have you seen,
• interesting,
• lol,
• wow,
• whoa,
• neat,
• hmm,
• psst,
• hehe,
• haha,
• silly,
• weird,

Recipients could include full AOL users, in addition to AIM users. The title of the AIM Window hooked by the virus is stored in the file HWND32.DLL, previously mentioned.

Symptoms

Presence of the following files in the WINDOWS SYSTEM directory:

• psecure20x-cgi-install.version6.01.bin.hx.com
• explorer.exe (319,488 bytes)
• hwnd32.dll
• index.html
• aphex.jpg

Method of Infection

This virus arrives as a .COM email attachment. When run, the .COM file creates a VBScript file and runs it. The script emails the .COM file to all users in the Microsoft Outlook Address Book. The worm also serves itself to connections made on port 8180 and sends IRC messages to lure people into navigating to port 8180.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Aplore (F-Secure)

• W32.Aphex@mm (Symantec)

• W32/Aplore (Central Command)

• Win32.Aphex (CA)

Characteristics

Characteristics -

This is a mass-mailing worm, which spreads via a built-in webserver and lures IRC (Internet Relay Chat) users AIM (AOL Instant Messenger) users into running the worm. When run, it creates a VBScript file, %SysDir%\Email.vbs, that sends itself to all users in the Microsoft Outlook Address Book and closes the Outlook application, and then deletes the script. It arrives in an email message containing the following information:

Subject: .
Body: .
Attachment: psecure20x-cgi-install.version6.01.bin.hx.com

When the attachment is run, the local machine is infected. The worm saves a copy of itself to the WINDOWS SYSTEM directory as EXPLORER.EXE and creates a registry run key to load itself at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\Explorer=C:\WINDOWS\SYSTEM\EXPLORER.EXE

The file, "psecure20x-cgi-install.version6.01.bin.hx.com", is moved to the SYSTEM directory and a 0 byte file, IPHIST.DAT is left in the directory where the file was run from. APHEX.JPG, HWND32.DLL, and INDEX.HTML are saved into the SYSTEM directory.

The worm connects to an IRC server, IRC.DAL.NET, and sends a message to users who join the channel that the worm has connected to (message sent):

FREE PORN: http://free:porn@(infected system's IP address):8180

When a user clicks on the real hyperlink (not the one listed here), the infected system serves the INDEX.HTML webpage, which self refreshes to run the worm. This results in the user being prompted to "Run the file from its current location", or "Save this program to disk". The HTML page also displays the text:

Browser Plugin Required:


You may need to restart your browser for changes to take affect.
Security Certificate by Verisign 2002.
MD5: 9DD756AC-80E057FC-E00703A2-F801F2E3

Click HERE and choose "Run" to install.

In a similar fashion, the worm hooks AOL Instant Messenger client Windows such that whenever an AIM users sends a message, the recipient will receive the following message instead:

User: cool, (infected system's IP address):8180

Note: the word "cool," may be replaced with any of the following words/phrases

• btw, download this,
• I wanted to show you this,
• please check this out,
• hey go to,
• download this,
• see if you can get this to work,
• this is cool,
• tell me what you think about,
• try this,
• I almost forgot about,
• I like this,
• what about,
• have you seen,
• interesting,
• lol,
• wow,
• whoa,
• neat,
• hmm,
• psst,
• hehe,
• haha,
• silly,
• weird,

Recipients could include full AOL users, in addition to AIM users. The title of the AIM Window hooked by the virus is stored in the file HWND32.DLL, previously mentioned.

Symptoms

Symptoms -

Presence of the following files in the WINDOWS SYSTEM directory:

• psecure20x-cgi-install.version6.01.bin.hx.com
• explorer.exe (319,488 bytes)
• hwnd32.dll
• index.html
• aphex.jpg

Method of Infection

Method of Infection -

This virus arrives as a .COM email attachment. When run, the .COM file creates a VBScript file and runs it. The script emails the .COM file to all users in the Microsoft Outlook Address Book. The worm also serves itself to connections made on port 8180 and sends IRC messages to lure people into navigating to port 8180.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A