NewApt
Summary
The NewApt worm appeared in the middle of December 1999. The worm itself is a Windows PE executable file about 70Kb long. It is transferred via the Internet in email messages as an attachment.
Removal
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
-
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
-
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
-
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
The name of the attached worm copy is randomly selected from 26 variants:
panther.exefarter.exe gadget.exe boss.exe irngiant.exe monica.exe casper.exe saddam.exe fborfw.exe party.exe cupid2.exe hog.exe party.exe goal1.exe bboy.exe pirate.exe baby.exe video.exe goal.exe copier.exe theobbq.execooler1.exe panthr.exe cooler3.exe chestburst.exe g-zilla.exe
The infected message's subject is "Just for your eyes". Other subject variants are possible: in some cases the worm puts "Re:" to the subject line and adds some text there.
The message body contains lines in plain text format:
he, your lame client cant read HTML, haha. click attachment to see some stunningly HOT stuff
as well as in HTML format:
Hypercool Happy New Year 2000 funny programs and animations... We attached our recent animation from this site in our mail! Check it out!
When the infected message is received, one of the above texts is displayed depending on whether recepient's email browser supports HTML email format or not.
When the attached executable is run by a user the worm gets control and installs itself to the system. It copies itself with its current name (as the worm arrived in email) to Windows directory and registers this copy in system registry in "Run=" section:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run 'tpawen' = 'C:\WINDOWS\PANTHER.EXE /x'
Note that the worm's name (here it is "PANTHER") is not always the same and can be randomly selected by the worm (see the list above).
To hide its activity the worm displays a fake error message:
The second line is the above messagebox is the infected system's Windows system directory name, 'Path' and 'SystemRoot' system variables.
Then the worm registers itself as a service process (not visible in the task list) and stays memory resident as a hidden application. The worm's main routines (there are two ones working in the background) then periodically scan hard drives for Internet-related files (MS Mail, Outlook Express, Netscape Navigator and other files), open these files, get Internet addresses from there and send worm copies to these addresses.
Starting from 12th of June, 2000 the worm removes "Run=" string from system Registry and does not install itself to system any more. So, this worm's life-time is limited by that date. But copies of the worm left in a system after 12th of June may activate again if system date is set incorrectly.
From 00:00 starting on 26th of December the worm tries to connect to remote computer somewhere at Microsoft each 3 seconds. This is most likely done to ping-bomb the server.
Depending on its counters and some other conditions the worm tries to call phone numbers randomly selected from its internal list. These numbers seem to belong to some company.
It should be also noted that the worm attempts to disguise itself as one of the MessageMates - amusing animations created to be sent to people on various occasions. The MessageMates' website now has a warning about the worm.
Variant:NewApt.b (I-Worm.NewApt.b, W32.NewApt.Worm.b, Worm.NewApt.b)
This new variant slightly differs from the original version of NewApt worm. It has a different phone line stings so it calls to different places when the payload is activated. The worm tries to ping-bomb some computer at Microsoft on the 2nd of February 2000 and deactivates itself on 12th of July 2000 unlike the original version. All other functionalities are the same as the worm was compiled from the original NewApt sources.
Variant:NewApt.c (I-Worm.NewApt.c, W32.NewApt.Worm.c, Worm.NewApt.c0
This new variant slightly differs from the original version of NewApt worm. It has a different phone line stings so it calls to different places when the payload is activated. The worm tries to ping-bomb some computer at Microsoft on the 2nd of February 2000 and deactivates itself on 12th of July 2000 unlike the original version. All other functionalities are the same as the worm was compiled from the original NewApt sources.
Variant:NewApt.d 9I-Worm.NewApt.d, W32.NewApt.Worm.d, Worm.NewApt.d)
Size:73728
The NewApt.d worm variant appeared on January 10, 2000. It was sent to several companies from 'sexybitch@porncity.com' email address. This worm variant is slightly different from its earlier versions. It has a bigger list of telephone numbers it calls when the payload it activated. Telephone numbers are also different. Unlike its earlier versions the worm installs itself under one of the following names:
Amateur.exe Bizarre.exe Ebony.exe Hardcore.exe Miscellan.exeBlowjob.exe Fatladies.exeHidcams.exe Mixedbag.exe Shemales.exe Asians.exe Cartoons.exe Fetish.exe Hidcam.exe Gay.exeLesbians.exe Pornstars.exeToys.exe Babes.exe Cumshot.exe Group.exe Mature.exe Pregnant.exe Weird.exe Male.exe
This worm variant shows an aditional link in the message it spreads itself with. The link points to a porno site.