Content

W32/Appix.c@MM

Type
Virus
SubType
Worm
Discovery Date
10/09/2002
Length
204,800 bytes
Minimum DAT
4229 (10/16/2002)
Updated DAT
4235 (11/27/2002)
Minimum Engine
5.1.00
Description Added
11/05/2002
Description Modified
11/05/2002 11:20 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a prepending virus that also attempts to propagate via email and mIRC Internet Relay Chat software. It contains several bugs and does not function as designed. Although this threat does not run properly on the Win9x platform, it does make system changes before crashing. This crashing does not occur under the WinNT based platforms (WinNT/2K/XP).

It may arrive in an email message that exploits the Microsoft Incorrect MIME Header vulnerability in Internet Explorer in order to be run simply by viewing the email message.

When the virus is run, it copies itself to the WINDOWS directory as APPBOOST.EXE and creates a registry key to load itself each time .BAT, .CMD, .COM, .EXE, .PIF, and .SCR files are accessed.

  • HKEY_CLASSES_ROOT\batfile\shell\open\command\
    (Default)=%WinDir%\appboost.exe "%1" %*
  • HKEY_CLASSES_ROOT\cmdfile\shell\open\command\
    (Default)=%WinDir%\appboost.exe "%1" %*
  • HKEY_CLASSES_ROOT\comfile\shell\open\command\
    (Default)=%WinDir%\appboost.exe "%1" %*
  • HKEY_CLASSES_ROOT\exefile\shell\open\command\
    (Default)=%WinDir%\appboost.exe "%1" %*
  • HKEY_CLASSES_ROOT\piffile\shell\open\command\
    (Default)=%WinDir%\appboost.exe "%1" %*
  • HKEY_CLASSES_ROOT\scrfile\shell\open\command\
    (Default)=%WinDir%\appboost.exe "%1" %*

    • Files of the above types can be prepended with the virus code. The virus may also append PHP files with code to serve the virus to users who access the PHP page through a webserver.

    Under WinNT/2K/XP, a copy is saved to the %WinDir% directory as APPBSVC.EXE and it is registered as the service, "Application Boost Service".

    A registry key is created to store information:

  • HKEY_CURRENT_USER\Software\Microsoft\Mails\

    • Symptoms

  • Presence of APPBOOST.EXE and APPBSVC.EXE in the %WinDir% directory
  • Increase in file size (by 204,808 bytes)

    • Method of Infection

    This virus tries to use the mIRC Internet Relay Chat software and email to send itself

    Removal

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Aliases

    • I-Worm.Apbost.d (AVP)
    • PE_BOOSTAP.A (Trend)
    • W32.Appix.C.Worm (NAV)
    • Win32.Appix.C (CA)

    Characteristics

    Characteristics -

    This is a prepending virus that also attempts to propagate via email and mIRC Internet Relay Chat software. It contains several bugs and does not function as designed. Although this threat does not run properly on the Win9x platform, it does make system changes before crashing. This crashing does not occur under the WinNT based platforms (WinNT/2K/XP).

    It may arrive in an email message that exploits the Microsoft Incorrect MIME Header vulnerability in Internet Explorer in order to be run simply by viewing the email message.

    When the virus is run, it copies itself to the WINDOWS directory as APPBOOST.EXE and creates a registry key to load itself each time .BAT, .CMD, .COM, .EXE, .PIF, and .SCR files are accessed.

  • HKEY_CLASSES_ROOT\batfile\shell\open\command\
    (Default)=%WinDir%\appboost.exe "%1" %*
  • HKEY_CLASSES_ROOT\cmdfile\shell\open\command\
    (Default)=%WinDir%\appboost.exe "%1" %*
  • HKEY_CLASSES_ROOT\comfile\shell\open\command\
    (Default)=%WinDir%\appboost.exe "%1" %*
  • HKEY_CLASSES_ROOT\exefile\shell\open\command\
    (Default)=%WinDir%\appboost.exe "%1" %*
  • HKEY_CLASSES_ROOT\piffile\shell\open\command\
    (Default)=%WinDir%\appboost.exe "%1" %*
  • HKEY_CLASSES_ROOT\scrfile\shell\open\command\
    (Default)=%WinDir%\appboost.exe "%1" %*

    • Files of the above types can be prepended with the virus code. The virus may also append PHP files with code to serve the virus to users who access the PHP page through a webserver.

    Under WinNT/2K/XP, a copy is saved to the %WinDir% directory as APPBSVC.EXE and it is registered as the service, "Application Boost Service".

    A registry key is created to store information:

  • HKEY_CURRENT_USER\Software\Microsoft\Mails\

    • Symptoms

    Symptoms -

  • Presence of APPBOOST.EXE and APPBSVC.EXE in the %WinDir% directory
  • Increase in file size (by 204,808 bytes)

    • Method of Infection

    Method of Infection -

    This virus tries to use the mIRC Internet Relay Chat software and email to send itself

    Removal -

    Removal -

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A