When the worm's file is run it shows a messagebox with one big
button labeled 'Open' and 'Urgent' as caption.
After a user clicks 'Open' button, the worm shows a fake error
WinZip SelfExtractor: Warning
CRC error: 234#21
Then the worm checks if it is already installed in a system. It
looks for README.EXE file in \Windows\ folder and creates it if
it's not there. The worm then modifies the Registry - it adds
'macrosoft' subkey to the current user's application autostartup
The 'macrosoft' subkey contains a full path for the worm's file.
For example if Windows is installed with default settings, the
subkey value will be 'c:\windows\readme.exe'. This way the worm
starts every time when Windows is loaded.
The worm also copies itself as README.EXE to root directories of
all drives that are available for writing (local and network
drives where current user has write access).
Finally the worm connects to Microsoft Outlook, gets user's mail
server login and password and sends itself to all e-mail
addresses found in Outlook's address book. The infected message
looks like that:
Subject: As per your request!
Body: Please find attached file for your review.
I look forward to hear from you again very soon.
The worm's file is attached to an infected message as README.EXE
file. It will infect a remote computer only when a recepient runs
Infected messages are deleted after they are sent.
Instructions for manual removing: To remove this worm from a
system it's enough to delete its file (README.EXE) from \Windows\
folder and from root directories of all drives that an infected
computer has access to. If the worm's file is locked, it is
advised to delete it from pure DOS or in case of Windows NT/2000
rename the file with a non-executable extension, reboot a system
and then delete the previously renamed worm's file.
F-Secure Anti-Virus detects Apost worm with the updates available here:
[Analysis: Alexey Podrezov, Katrin Tocheva; F-Secure Corp.; September 3, 2001]