W32/Apriful.A Worm

 Information about the W32/Apriful.A Worm:

W32/Apriful.A is a mass mailing worm. The worm will infect Windows systems and spreads through email.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be any one of the following;

smallGame
good day:)
it's a joke
little game~~
run it:)
hehe
funny:)
hello
hi
game

The infected attachment will be any one of the following;

joke.exe
dog.exe
interesting.exe
novel.exe
new_jdk.exe
cat.exe
love.exe
hello.exe
funny.exe

The body of the infected mail will be any one of the following;

[source]: little game~~
[source]: it's a joke
[source]: run it:)
[source]: hehe
[source]: good day:)
[source]: funny:)
[source]: hello
[source]: smallGame
[source]: hi
[source]: game

Upon execution of the infected attachment, the worm copies itself as the following in the Windows System folder.

joke.exe
dog.exe
interesting.exe
novel.exe
new_jdk.exe
cat.exe
love.exe
hello.exe
funny.exe

It also drops the following files in the Windows System folder.

watcher.dll
Netchk.dll
Mssys.dll
Sysmsg.dll
atchk.dll
syslogd.dll

The worm modifies registry at the following location to load itself during each startup.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

To propagate itself, the worm gathers email addresses from the Windows Address Book of the infected system.

The worm mails itself to these addresses using its own SMTP engine.

This worm first appeared on 6th April, 2005.

 Other names of W32/Apriful.A Worm:

This Worm is also known as WORM_APRIFUL.A, W32.Aprilcone.A@mm.