Beth
New Member
Hi all,
Please read the info below from Symantec. Check with your antivirus software vendor, and update your virus definitions...
==============================================
Symantec has received a substantial number of submissions since September 3, 2001 for this worm, formerly known as W32.Urgent.worm@mm. . Therefore, Symantec has upgraded the threat level from 2 to 3. We have added detection since its its original discovery and certified definitions will be posted on September 4, 2001.
This worm is a Visual Basic Application that arrives as a readme.exe attachment to an e-mail. This worm requires Microsoft Visual Basic Runtime Libraries to replicate.
The body of the e-mail asks the receipient to review the attachment, but once viewed, the worm will activate hook your systems activation routines and then spread itself to everyone in the user's address book
Also Known As: W32/Apost-mm, W32/Apost-A, W32.Urgent.Worm@mm
Type: Worm
Infection Length: 24,576 bytes
Virus Definitions: September 4, 2001
Threat Assessment:
Wild:
Medium Damage:
Low Distribution:
High
Wild:
Number of infections: 50 - 999
Number of sites: More than 10
Geographical distribution: Medium
Threat containment: Easy
Removal: Easy
Damage:
Payload:
Large scale e-mailing: emails to all contacts in your address book
Distribution:
Subject of email: As per you request!
Name of attachment: readme.exe
Size of attachment: 24,576 bytes
Technical description:
Arrival
This worm arrives as an attachment to the following e-mail
Subject
As per your request!
Body
Please find attached file for your review.
I look forward to hear from you again very soon. Thank you.
Activation
Once activated the worm creates a copy of itself in user's Windows folder, as readme.exe, it then creates the following registry key and value:
key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
value
macrosoft = "C:\Windows\readme.exe"
it then writes a copy itself to the root of all local drives (this includes floppy drives, zip drives and network drives) as well as e-mailing itself out to all the contacts in your address book.
It will then display the message box:
and waits for you to press the button, once you've pressed the button, it will go through the above steps once more and then shows you the following fake error message:
and then quits.
Attention
Since this worm activates its insertion and e-mailing routinue twice. An user likely will get at least two e-mails with this worm as an attachment.
Removal instructions:
To remove the worm, delete all files that are detected as W32.Apost.Worm@mm and remove the registry entry that it added (details follow).
To remove the worm:
1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan. Be sure that NAV is configured to scan all files.
3. Delete all files that are detected as W32.Apost.Worm@mm.
To edit the registry:
CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry can result in permanent data loss or corrupted files. Please make sure you modify only the keys that are specified in this document. For more information about how to back up the registry, please read How to back up the Windows registry before proceeding with the following steps. If you are concerned that you cannot follow these steps correctly, then please do not proceed. Consult a qualified computer technician for more information.
1. Navigate to and select the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
2. In the right pane, look for and select the value
macrosoft C:\Windows\readme.exe
3. Press Delete, and then click Yes to confirm.
4. Exit the Registry Editor.
Please read the info below from Symantec. Check with your antivirus software vendor, and update your virus definitions...
==============================================
Symantec has received a substantial number of submissions since September 3, 2001 for this worm, formerly known as W32.Urgent.worm@mm. . Therefore, Symantec has upgraded the threat level from 2 to 3. We have added detection since its its original discovery and certified definitions will be posted on September 4, 2001.
This worm is a Visual Basic Application that arrives as a readme.exe attachment to an e-mail. This worm requires Microsoft Visual Basic Runtime Libraries to replicate.
The body of the e-mail asks the receipient to review the attachment, but once viewed, the worm will activate hook your systems activation routines and then spread itself to everyone in the user's address book
Also Known As: W32/Apost-mm, W32/Apost-A, W32.Urgent.Worm@mm
Type: Worm
Infection Length: 24,576 bytes
Virus Definitions: September 4, 2001
Threat Assessment:
Wild:
Medium Damage:
Low Distribution:
High
Wild:
Number of infections: 50 - 999
Number of sites: More than 10
Geographical distribution: Medium
Threat containment: Easy
Removal: Easy
Damage:
Payload:
Large scale e-mailing: emails to all contacts in your address book
Distribution:
Subject of email: As per you request!
Name of attachment: readme.exe
Size of attachment: 24,576 bytes
Technical description:
Arrival
This worm arrives as an attachment to the following e-mail
Subject
As per your request!
Body
Please find attached file for your review.
I look forward to hear from you again very soon. Thank you.
Activation
Once activated the worm creates a copy of itself in user's Windows folder, as readme.exe, it then creates the following registry key and value:
key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
value
macrosoft = "C:\Windows\readme.exe"
it then writes a copy itself to the root of all local drives (this includes floppy drives, zip drives and network drives) as well as e-mailing itself out to all the contacts in your address book.
It will then display the message box:
and waits for you to press the button, once you've pressed the button, it will go through the above steps once more and then shows you the following fake error message:
and then quits.
Attention
Since this worm activates its insertion and e-mailing routinue twice. An user likely will get at least two e-mails with this worm as an attachment.
Removal instructions:
To remove the worm, delete all files that are detected as W32.Apost.Worm@mm and remove the registry entry that it added (details follow).
To remove the worm:
1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan. Be sure that NAV is configured to scan all files.
3. Delete all files that are detected as W32.Apost.Worm@mm.
To edit the registry:
CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry can result in permanent data loss or corrupted files. Please make sure you modify only the keys that are specified in this document. For more information about how to back up the registry, please read How to back up the Windows registry before proceeding with the following steps. If you are concerned that you cannot follow these steps correctly, then please do not proceed. Consult a qualified computer technician for more information.
1. Navigate to and select the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
2. In the right pane, look for and select the value
macrosoft C:\Windows\readme.exe
3. Press Delete, and then click Yes to confirm.
4. Exit the Registry Editor.