Content

W32/Appix.e@MM

Type
Virus
SubType
Worm
Discovery Date
10/21/2002
Length
204,800 bytes
Minimum DAT
4229 (10/16/2002)
Updated DAT
4229 (10/16/2002)
Minimum Engine
5.1.00
Description Added
11/06/2002
Description Modified
11/06/2002 3:17 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a prepending virus that also attempts to propagate via email, mIRC Internet Relay Chat software and peer to peer file sharing software.

It may arrive in an email message that exploits the Microsoft Incorrect MIME Header vulnerability in Internet Explorer that allows the attachment to be run simply by viewing the email message.

When the virus is run, it copies itself to the WINDOWS directory as APPBOOST.EXE and creates registry keys to load itself each time .BAT, .CMD, .COM, .EXE, .PIF, and .SCR files are accessed.

  • HKEY_CLASSES_ROOT\batfile\shell\open\command\
    (Default)=%WinDir%\appboost.exe "%1" %*
  • HKEY_CLASSES_ROOT\cmdfile\shell\open\command\
    (Default)=%WinDir%\appboost.exe "%1" %*
  • HKEY_CLASSES_ROOT\comfile\shell\open\command\
    (Default)=%WinDir%\appboost.exe "%1" %*
  • HKEY_CLASSES_ROOT\exefile\shell\open\command\
    (Default)=%WinDir%\appboost.exe "%1" %*
  • HKEY_CLASSES_ROOT\piffile\shell\open\command\
    (Default)=%WinDir%\appboost.exe "%1" %*
  • HKEY_CLASSES_ROOT\scrfile\shell\open\command\
    (Default)=%WinDir%\appboost.exe "%1" %*

    • Files of the above types can be prepended with the virus code. The virus may also append PHP files with code to serve the virus to users who access the PHP page through a webserver.

    Under WinNT/2K/XP, a copy is saved to the %WinDir% directory as APPBSVC.EXE and it is registered as the service, "Application Boost Service".

    A registry key is created to store information:

  • HKEY_CURRENT_USER\Software\Microsoft\Mails\

    • Symptoms

  • Presence of APPBOOST.EXE and APPBSVC.EXE in the %WinDir% directory
  • Increase in file size (by 204,808 bytes)

    • Method of Infection

    This virus terminates running processes in order to try to bypass certain security products. It also tries to use the mIRC Internet Relay Chat software, peer to peer file sharing software and email to send itself.

    Removal

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Aliases

    • I-Worm.Apbost.d (Kaspersky)
    • PE_BOOSTAP.A
    • W32.Appix.D.Worm (NAV)

    Characteristics

    Characteristics -

    This is a prepending virus that also attempts to propagate via email, mIRC Internet Relay Chat software and peer to peer file sharing software.

    It may arrive in an email message that exploits the Microsoft Incorrect MIME Header vulnerability in Internet Explorer that allows the attachment to be run simply by viewing the email message.

    When the virus is run, it copies itself to the WINDOWS directory as APPBOOST.EXE and creates registry keys to load itself each time .BAT, .CMD, .COM, .EXE, .PIF, and .SCR files are accessed.

  • HKEY_CLASSES_ROOT\batfile\shell\open\command\
    (Default)=%WinDir%\appboost.exe "%1" %*
  • HKEY_CLASSES_ROOT\cmdfile\shell\open\command\
    (Default)=%WinDir%\appboost.exe "%1" %*
  • HKEY_CLASSES_ROOT\comfile\shell\open\command\
    (Default)=%WinDir%\appboost.exe "%1" %*
  • HKEY_CLASSES_ROOT\exefile\shell\open\command\
    (Default)=%WinDir%\appboost.exe "%1" %*
  • HKEY_CLASSES_ROOT\piffile\shell\open\command\
    (Default)=%WinDir%\appboost.exe "%1" %*
  • HKEY_CLASSES_ROOT\scrfile\shell\open\command\
    (Default)=%WinDir%\appboost.exe "%1" %*

    • Files of the above types can be prepended with the virus code. The virus may also append PHP files with code to serve the virus to users who access the PHP page through a webserver.

    Under WinNT/2K/XP, a copy is saved to the %WinDir% directory as APPBSVC.EXE and it is registered as the service, "Application Boost Service".

    A registry key is created to store information:

  • HKEY_CURRENT_USER\Software\Microsoft\Mails\

    • Symptoms

    Symptoms -

  • Presence of APPBOOST.EXE and APPBSVC.EXE in the %WinDir% directory
  • Increase in file size (by 204,808 bytes)

    • Method of Infection

    Method of Infection -

    This virus terminates running processes in order to try to bypass certain security products. It also tries to use the mIRC Internet Relay Chat software, peer to peer file sharing software and email to send itself.

    Removal -

    Removal -

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A