TUCoPS :: Malware :: aplore.txt

W32.Aplore@mm virus

1) What is the W32.APLORE@mm Virus?

The W32.APLORE@mm Virus (APLORE of short) is a virus that spreads using
IRC (Internet Relay Chat), Outlook Express, or AIM (AOL Instant Messenger).
What it does is it tries to make you download and run it. If you do run it,
it will go through your computer, creating files and editing the registry
so that it will run when you restart your computer.

2) How do you spot the APLORE Virus?

I. When you are on IRC

Okay, let's say that you're chatting on IRC. Suddenly, a window pops up
from somebody that you don't know, and it has a link on it. You're
curious, so you click it. Then you find out that your browser doesn't have
the correct plugin to view this page, so it offers you one to download and
run, so that you can see this nice page. You download and run it, but you
can't see the page. The next thing you know, you're kicked off of your IRC
server with a message saying that you are infected! (This doesn't happen
with every server, by the way.)

Now, to be sure that you are not downloading this virus, make certain that
your browser is not displaying the following:

Browser Plugin Required:

You may need to restart your browser for changes to take affect.
Security Certificate by Verisign 2002.
MD5: 9DD756AC-80E057FC-E00703A2-F801F2E3

Click HERE and choose "Run" to install.

If it does display this, just don't download it. Leave it alone completely.

II. Inside your e-mail

You're checking your e-mail one day. You get a curious message that has a period
(.) as the subject and the message. But it also comes with an attatchment which
is labeled "Psecure20x-cgi-install.version.6.01.bin.hx.com". Do not open it. If
you do, you should see something similar to the same HTML described in the
previous section. Again, do not run it at all. Delete the infected e-mail.

III. On AOL Instant Messenger

If you get an instant message with one of the following lines with a URL after
it, be very careful and do not click the link:

btw, download this,
I wanted to show you this,
please check out,
hey go to,
see if you can get this to work,
this is cool,
tell me what you think about,
try this,
I almost forgot about,
I like this,
what about,
have you seen,

If you do click on the link, the same HTML message will appear as described two
sections ago. Ignore the message and don't download / run any of it. This kind
of thing is also on Yahoo Chat (chat.yahoo.com) so just be careful.

3) Removing the bugger

First, I recommend that you get some antivirus tools and utilities. Norton Antivirus
(www.symantec.com) is pretty good at getting rid of the virus. Some other good tools
are Swat-It and NetSpyHunter. These should delete the base files, such as the hidden
Explorer.exe in your Windows\System folder and the main file
Psecure20x-cgi-install.version.6.01.bin.hx.com. Yet even though these and a couple
of other files have been deleted, we still need to edit the registry just to be
completely sure that it's gone.

To do this, open up C:\windows\regedit.exe. You should back up your registry there in
case you make a mistake. Go through
HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run and then delete the
value that says %SYSTEM%\Explorer.exe (where %SYSTEM% is usually your Windows system

Now when you're done with that, run a system scan and delete anything that is detected
as W32.APLORE@mm. The virus should be destroied.

4) Extra info about the APLORE

The APLORE goes by all of the following names:
W32.Aphex@mm, Bloodhound.VBS.Worm, I-Worm.Aphex, W32/Aplore-A, W32/Aplore@MM,
Win32.Aphex, WORM_APLORE.A

The virus is a worm

The length of the virus is 319,488 bytes


Researched and written by Zell_1388

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH