Classification

Category :

Malware

Type :

-

Aliases :

NewApt, I-Worm.NewApt, W32.NewApt.Worm, Worm.NewApt

Summary

The NewApt worm appeared in the middle of December 1999. The worm itself is a Windows PE executable file about 70Kb long. It is transferred via the Internet in email messages as an attachment.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The name of the attached worm copy is randomly selected from 26 variants:

panther.exefarter.exe
gadget.exe boss.exe
irngiant.exe

 monica.exe
casper.exe saddam.exe
fborfw.exe party.exe
cupid2.exe hog.exe
party.exe
goal1.exe
bboy.exe
 pirate.exe
baby.exe
 video.exe
goal.exe
 copier.exe
theobbq.execooler1.exe
panthr.exe cooler3.exe
chestburst.exe
 g-zilla.exe

The infected message's subject is "Just for your eyes". Other subject variants are possible: in some cases the worm puts "Re:" to the subject line and adds some text there.

The message body contains lines in plain text format:

he, your lame client cant read HTML, haha.
click attachment to see some stunningly HOT stuff

as well as in HTML format:

Hypercool Happy New Year 2000 funny programs and animations...
We attached our recent animation from this site in our mail! Check it out!

When the infected message is received, one of the above texts is displayed depending on whether recepient's email browser supports HTML email format or not.

When the attached executable is run by a user the worm gets control and installs itself to the system. It copies itself with its current name (as the worm arrived in email) to Windows directory and registers this copy in system registry in "Run=" section:

SOFTWARE\Microsoft\Windows\CurrentVersion\Run
'tpawen' = 'C:\WINDOWS\PANTHER.EXE /x'

Note that the worm's name (here it is "PANTHER") is not always the same and can be randomly selected by the worm (see the list above).

To hide its activity the worm displays a fake error message:

The second line is the above messagebox is the infected system's Windows system directory name, 'Path' and 'SystemRoot' system variables.

Then the worm registers itself as a service process (not visible in the task list) and stays memory resident as a hidden application. The worm's main routines (there are two ones working in the background) then periodically scan hard drives for Internet-related files (MS Mail, Outlook Express, Netscape Navigator and other files), open these files, get Internet addresses from there and send worm copies to these addresses.

Starting from 12th of June, 2000 the worm removes "Run=" string from system Registry and does not install itself to system any more. So, this worm's life-time is limited by that date. But copies of the worm left in a system after 12th of June may activate again if system date is set incorrectly.

From 00:00 starting on 26th of December the worm tries to connect to remote computer somewhere at Microsoft each 3 seconds. This is most likely done to ping-bomb the server.

Depending on its counters and some other conditions the worm tries to call phone numbers randomly selected from its internal list. These numbers seem to belong to some company.

It should be also noted that the worm attempts to disguise itself as one of the MessageMates - amusing animations created to be sent to people on various occasions. The MessageMates' website now has a warning about the worm.

Variant:NewApt.b (I-Worm.NewApt.b, W32.NewApt.Worm.b, Worm.NewApt.b)

This new variant slightly differs from the original version of NewApt worm. It has a different phone line stings so it calls to different places when the payload is activated. The worm tries to ping-bomb some computer at Microsoft on the 2nd of February 2000 and deactivates itself on 12th of July 2000 unlike the original version. All other functionalities are the same as the worm was compiled from the original NewApt sources.

Variant:NewApt.c (I-Worm.NewApt.c, W32.NewApt.Worm.c, Worm.NewApt.c0

This new variant slightly differs from the original version of NewApt worm. It has a different phone line stings so it calls to different places when the payload is activated. The worm tries to ping-bomb some computer at Microsoft on the 2nd of February 2000 and deactivates itself on 12th of July 2000 unlike the original version. All other functionalities are the same as the worm was compiled from the original NewApt sources.

Variant:NewApt.d 9I-Worm.NewApt.d, W32.NewApt.Worm.d, Worm.NewApt.d)

Size:73728

The NewApt.d worm variant appeared on January 10, 2000. It was sent to several companies from 'sexybitch@porncity.com' email address. This worm variant is slightly different from its earlier versions. It has a bigger list of telephone numbers it calls when the payload it activated. Telephone numbers are also different. Unlike its earlier versions the worm installs itself under one of the following names:

Amateur.exe
Bizarre.exe
Ebony.exe

Hardcore.exe
Miscellan.exeBlowjob.exe
Fatladies.exeHidcams.exe
Mixedbag.exe Shemales.exe
Asians.exe
 Cartoons.exe
Fetish.exe
 Hidcam.exe
Gay.exeLesbians.exe
Pornstars.exeToys.exe
Babes.exe

Cumshot.exe
Group.exe

Mature.exe
Pregnant.exe Weird.exe
Male.exe

This worm variant shows an aditional link in the message it spreads itself with. The link points to a porno site.