Virus Information:<BR>Date Discovered: 9/3/01<BR>Date Added: 9/3/01<BR>Origin: Unknown<BR>Length: 24576<BR>Type: Virus<BR>SubType: E-mail worm<BR>DAT Required: 4157<P>W32/APost@mm (APost or New Backdoor) worm has been spreading over the past 24 hours through the Microsoft Outlook email program. This is a MEDIUM ON WATCH worm. The infected email can come from addresses that you recognize and may contain the following information:<P>Subject: As per your request!<P>Body: Please find attached file for your review. I look forward to hear from you again very soon. Thank you.<P>Attachment: README.EXE<P>Running the attachment causes the worm to check for the presence of README.EXE in the WINDOWS directory. If one does not exist, the worm copies itself to that directory. Next, it copies whichever README.EXE file is in the WINDOWS directory to the root of all local drives and creates a registry run key to load that program at startup:<P>HKEY_CURRENT_USER\Software\Microsoft\Windows\<BR>CurrentVersion\Run\macrosoft=C:\WINDOWS\readme.exe<P>The worm sends a copy of itself to every entry in the user's Microsoft Outlook Address Book and then displays a small dialog box titled "Urgent!". This dialog box contains one single large button labeled "Open".<P> []http://vil.nai.com/images/99198a.gif[/] <P>If this button is pressed then the worm sends out further copies of itself and then displays an error message box with the title "WinZip SelfExtractor: Warning" and containing the error message "CRC error: 34#".<P> []http://vil.nai.com/images/99198b.gif[/] <P>After the error message box is acknowledged the worm terminates.<P>Removal Instructions:<P>Use the 4157 DAT files (or greater) for detection and removal.<P>Manual Removal Instructions<P> * Delete the registry key:<P> HKEY_CURRENT_USER\Software\Microsoft\Windows\<BR> CurrentVersion\Run\macrosoft<P> Here's how (accidentally removing the wrong information from the Registry can cause damage to your system, take exceptional care whenever working in the Registry editor):<P> - Click START | RUN, type REGEDIT and hit ENTER<BR> - On the left side of the screen, double click on HKEY_CURRENT_USER<BR> - Click the plus sign (+) next to Software<BR> - Click the plus sign (+) next to Microsoft<BR> - Click the plus sign (+) next to Windows<BR> - Click the plus sign (+) next to CurrentVersion<BR> - Click the plus sign (+) next to Run<BR> - On the right side of the screen, highlight the entry "macrosoft" with "C:\WINDOWS\readme.exe" in the data column. Note the "a" in macrosoft<BR> - Press the delete key on the keyboard and confirm the deletion<BR> - Close the registry editor by clicking the plus in the upper right hand corner<P> * Restart the computer<P> * Delete the README.EXE file from the WINDOWS directory as well as from the root directory of all local drives<P>Additional Windows ME Info:<BR>NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.<P>Disabling the Restore Utility<P>1. Right click the My Computer icon on the Desktop.<BR>2. Click on the Performance Tab.<BR>3. Click on the File System button.<BR>4. Click on the Troubleshooting Tab.<BR>5. Put a check mark next to "Disable System Restore".<BR>6. Click the Apply button.<BR>7. Click the Close button.<BR>8. Click the Close button again.<BR>9. You will be prompted to restart the computer. Click Yes.<BR>NOTE: The Restore Utility will now be disabled.<BR>10. Restart the computer in Safe Mode.<BR>11. Run a scan with VirusScan to delete all infected files, or browse the the file's located in the C:\_Restore folder and remove the file's.<BR>12. After removing the desired files, restart the computer normally.<P>NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.