F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : NewApt





NAME:NewApt
ALIAS:I-Worm.NewApt, W32.NewApt.Worm, Worm.NewApt
SIZE:69632

The NewApt worm appeared in the middle of December 1999. The worm itself is a Windows PE executable file about 70Kb long. It is transferred via the Internet in e-mail messages as an attachment. The name of the attached worm copy is randomly selected from 26 variants: 

 panther.exe      farter.exe
 gadget.exe       boss.exe
 irngiant.exe     monica.exe
 casper.exe       saddam.exe
 fborfw.exe       party.exe
 cupid2.exe       hog.exe
 party.exe        goal1.exe
 bboy.exe         pirate.exe
 baby.exe         video.exe
 goal.exe         copier.exe
 theobbq.exe      cooler1.exe
 panthr.exe       cooler3.exe
 chestburst.exe   g-zilla.exe

The infected message's subject is "Just for your eyes". Other subject variants are possible: in some cases the worm puts "Re:" to the subject line and adds some text there.

The message body contains lines in plain text format: 

 he, your lame client cant read HTML, haha.
 click attachment to see some stunningly HOT stuff

as well as in HTML format: 

 Hypercool Happy New Year 2000 funny programs and animations...
 We attached our recent animation from this site in our mail! Check it out!

When the infected message is received, one of the above texts is displayed depending on whether recepient's e-mail browser supports HTML e-mail format or not.

When the attached executable is run by a user the worm gets control and installs itself to the system. It copies itself with its current name (as the worm arrived in email) to Windows directory and registers this copy in system registry in "Run=" section: 

 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 'tpawen' = 'C:\WINDOWS\PANTHER.EXE /x'

Note that the worm's name (here it is "PANTHER") is not always the same and can be randomly selected by the worm (see the list above).

To hide its activity the worm displays a fake error message:

The second line is the above messagebox is the infected system's Windows system directory name, 'Path' and 'SystemRoot' system variables.

Then the worm registers itself as a service process (not visible in the task list) and stays memory resident as a hidden application. The worm's main routines (there are two ones working in the background) then periodically scan hard drives for Internet-related files (MS Mail, Outlook Express, Netscape Navigator and other files), open these files, get Internet addresses from there and send worm copies to these addresses.

Starting from 12th of June, 2000 the worm removes "Run=" string from system Registry and does not install itself to system any more. So, this worm's life-time is limited by that date. But copies of the worm left in a system after 12th of June may activate again if system date is set incorrectly.

From 00:00 starting on 26th of December the worm tries to connect to remote computer somewhere at Microsoft each 3 seconds. This is most likely done to ping-bomb the server.

Depending on its counters and some other conditions the worm tries to call phone numbers randomly selected from its internal list. These numbers seem to belong to some company.

It should be also noted that the worm attempts to disguise itself as one of the MessageMates - amusing animations created to be sent to people on various occasions. The MessageMates' website now has a warning about the worm.

VARIANT:NewApt.b
ALIAS:I-Worm.NewApt.b, W32.NewApt.Worm.b, Worm.NewApt.b

This new variant slightly differs from the original version of NewApt worm. It has a different phone line stings so it calls to different places when the payload is activated. The worm tries to ping-bomb some computer at Microsoft on the 2nd of February 2000 and deactivates itself on 12th of July 2000 unlike the original version. All other functionalities are the same as the worm was compiled from the original NewApt sources.

VARIANT:NewApt.c
ALIAS:I-Worm.NewApt.c, W32.NewApt.Worm.c, Worm.NewApt.c

This new variant slightly differs from the original version of NewApt worm. It has a different phone line stings so it calls to different places when the payload is activated. The worm tries to ping-bomb some computer at Microsoft on the 2nd of February 2000 and deactivates itself on 12th of July 2000 unlike the original version. All other functionalities are the same as the worm was compiled from the original NewApt sources.

VARIANT:NewApt.d
ALIAS:I-Worm.NewApt.d, W32.NewApt.Worm.d, Worm.NewApt.d
SIZE:73728

The NewApt.d worm variant appeared on January 10, 2000. It was sent to several companies from 'sexybitch@porncity.com' e-mail address. This worm variant is slightly different from its earlier versions. It has a bigger list of telephone numbers it calls when the payload it activated. Telephone numbers are also different. Unlike its earlier versions the worm installs itself under one of the following names: 

 Amateur.exe        Bizarre.exe
 Ebony.exe          Hardcore.exe
 Miscellan.exe      Blowjob.exe
 Fatladies.exe      Hidcams.exe
 Mixedbag.exe       Shemales.exe
 Asians.exe         Cartoons.exe
 Fetish.exe         Hidcam.exe
 Gay.exe            Lesbians.exe
 Pornstars.exe      Toys.exe
 Babes.exe          Cumshot.exe
 Group.exe          Mature.exe
 Pregnant.exe       Weird.exe
 Male.exe

This worm variant shows an aditional link in the message it spreads itself with. The link points to a porno site.

[Analysis: Eugene Kaspersky, AVP team; F-Secure team]