New Worm Targets Outlook E-Mail and AIM Users

Security software maker Symantec is warning of a new worm that uses the blended threat technique found in other recent worms. The worm comes in two forms, W32.Aphex@mm and W32.Aplore@mm. Its primary function is to mass-mail itself via a Microsoft Outlook address book, but it also uses IRC and AOL Instant Messenger (AIM) to propagate.

Symantec Security Response rates viruses and worms on a 1-to-5 scale, according to how serious the threat is, with 5 the most serious. Aphex/Aplore has received a rating of 2 at this point, and Symantec Security Response has received 25 submissions containing at least one form of the worm. The e-mail attachment that spreads the worm via Microsoft Outlook has the following name: Psecure20x-cgi-install.version.6.01.bin.hx.com. The subject line and body of an infected message will contain a period only—no text.

If an infected machine connects to AIM, the worm sends one of the following one-line messages to AIM users listed as contacts:

• btw, download this
  • I wanted to show you this
  • please check out
  • hey go to
  • see if you can get this to work
  • this is cool
  • tell me what you think about
  • try this
  • I almost forgot about
  • I like this
  • What about
  • Have you seen
  • Interesting
  • lol
  • wow
  • whoa
  • neat
  • cool
  • hmm
  • psst
  • hehe
  • haha
  • silly
  • weird
    MessageLabs (www.messagelabs.com), which operates a virus/worm tracking service called VirusEye, did not show Aphex/Aplore among its top ten viruses and worms as of Wednesday morning, but the fact that the worm propagates in blended forms—across e-mails and instant messages—could allow it to spread quickly.
    More details about how the worm spreads are available here. Information on how to remove the worm and adjust changes it makes to a systems registry is also is available at this page.