Symantec.com > Security Response > W32.Appix.D.Worm

W32.Appix.D.Worm

Risk Level 1: Very Low

Discovered: October 31, 2002

Updated: February 13, 2007 11:57:22 AM

Type: Worm

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

W32.Appix.D.Worm is a variant of W32.Appix.B.Worm. It prepends itself to .bat, .com, .cmd, .exe, .scr, .pif, and .msi files in the root folder of drive C, and prepends itself to all .exe files in the Windows installation folder. It also attempts to prepend itself to open files.

It infects .php, .phtml, and .php3 files in the current folder, the root of drive C, the Windows installation folder and the Windows system folder by appending code that is designed to infect other .php, .phtml, and .php3 files.

It downloads the W32.Appix.D.Worm to a client computer that visits an infected Web site. The worm spreads itself through mIRC. Also, the worm uses the current email program or its own SMTP engine to send itself to all contacts in the Windows Address Book and in The Bat! email program's address book. The email message may have the following characteristics:

Subject: The subject is a combination of

A nice Screensaver of
Ein netter Screensaver von
New Version of
Eine neue Version von
Important!:
Wichtig!:

and

Pamela Anderson
Angelina Jolie
Anna Kournikova
Porn Screensaver
Sex ScreenSaver
TvTool
Flashget
WarezBoardAccess
Undelivarable Email
Brute Force Tool
Kündigung (Provider)

Attachment: The attachment may be one of the following:

PamAnderson.scr
Jolie.scr
AnnaKournikova.scr
XXX.scr
FreeSex.exe
TvTool.exe
FlashGet.exe
WarezBoardAccess.exe
Undelivarablemail.exe
BestTool.exe
Vertrag.exe

It may also arrive as an email with three attachments,

Subject: Application Booster
Message: Try the Free Application Boost Pack, NOW !!!!
Attachments: