W32/Appix.f@MM

Content

W32/Appix.f@MM

Type: Virus
SubType: Worm
Discovery Date: 10/31/2002
Length: .EXEs: (346,767) .REG: (1,550) .VBS: (4,510)
Minimum DAT: 4232 (11/06/2002)
Updated DAT: 4235 (11/27/2002)
Minimum Engine: 5.1.00
Description Added: 11/06/2002
Description Modified: 11/06/2002 4:48 PM (PT)

Risk Assessment

Corporate User: Low
Home User: Low

Tab Navigation

Characteristics

This is a prepending virus that also attempts to propagate via email, mIRC Internet Relay Chat software and peer to peer file sharing software. It contains several bugs and may cause infected systems to hang during subsequent Windows restarts.

The worm may arrive in an email message that exploits the Microsoft Incorrect MIME Header vulnerability in Internet Explorer that allows the attachment to be run simply by viewing the email message.

When the virus is run, it copies itself to the Windows directory as APPBOOST.EXE and creates registry keys to load itself each time .BAT, .CMD, .COM, .EXE, .PIF, and .SCR files are accessed.

HKEY_CLASSES_ROOT\batfile\shell\open\command\
(Default)=%WinDir%\appboost.exe "%1" %*

HKEY_CLASSES_ROOT\cmdfile\shell\open\command\
(Default)=%WinDir%\appboost.exe "%1" %*

HKEY_CLASSES_ROOT\comfile\shell\open\command\
(Default)=%WinDir%\appboost.exe "%1" %*

HKEY_CLASSES_ROOT\exefile\shell\open\command\
(Default)=%WinDir%\appboost.exe "%1" %*

HKEY_CLASSES_ROOT\piffile\shell\open\command\
(Default)=%WinDir%\appboost.exe "%1" %*

HKEY_CLASSES_ROOT\scrfile\shell\open\command\
(Default)=%WinDir%\appboost.exe "%1" %*

Files of the above types can be prepended with the virus code. The virus may also append PHP files with code to serve the virus to users who access the PHP page through a webserver.

Under WinNT/2K/XP, a copy is saved to the %WinDir% directory as APPBSVC.EXE and it is registered as the service, "Application Boost Service".

Two additional files are dropped in the Windows directory, a .REG file and a .VBS file. The .REG file is used to change display colors and the .VBS file is used to assist with spreading via email.

A binary registry key value is created to store information:

HKEY_CURRENT_USER\Software\Microsoft\Mails\%number%=%value%

Symptoms

Presence of the following files in the Windows directory:

Appboost.exe
Appbsvc.exe
Appboost.reg
Appboost.vbs

Increase in file size of EXE files (by 233,103 bytes)

Method of Infection

This virus terminates running processes in order to try to bypass certain security products. It also tries to use the mIRC Internet Relay Chat software, peer to peer file sharing software and email to send itself.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

PE_APPIX.B (Trend)

W32.Appix.D.Worm (NAV)

I-Worm.Apbost.e (AVP)

Characteristics

Characteristics -