Symantec Security Response
http://securityresponse.symantec.com

W32.NewApt.Worm

W32.NewApt.Worm is a multithreaded worm that propagates by email. The subject of the email is "Just for your eyes." The worm has its own SMTP (email) engine to email itself. The worm searches various files on the hard disk to find email address to which it sends itself.

Also Known As: Worm.NewApt, I- Worm.NewApt.a [Kaspersky], W32/NewApt.worm.gen@MM [McAfee], WORM_NEWAPT.A [Trend], W32/NewApt-A [Sophos], Win32.NewApt.Family [Computer Associates]

Type: Worm

Infection Length: 69,632 bytes

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x

protection

Virus Definitions (LiveUpdate™ Weekly)

December 14, 1999

Virus Definitions (Intelligent Updater)

December 14, 1999

Wild

Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: High
Threat containment: Moderate
Removal: Moderate

Threat Metrics

Wild: Low	Damage: Low	Distribution: High

Damage

Payload Trigger: December 25, 1999
Payload: Attempts to make a connection to a corporate web site.
- Large scale e-mailing: The worm attempts to email itself to others by using addresses found within MS Mail, MS Outlook, Netscape Navigator, and other Internet-related programs.

Distribution

Subject of email: Just for your eyes
Name of attachment: The name of the attached file can vary. Some of hte known file names are: g-zilla.exe, cooler3.exe, cooler1.exe, copier.exe, video.exe, pirate.exe, goal1.exe, hog.exe, party.exe, saddam.exe, monica.exe, boss.exe, farter.exe, cheeseburst.exe, panther.exe, theobbq.exe, goal.exe, baby.exe, bboy.exe, cupid2.exe, fborfw.exe, casper.exe, irnglant.exe, and gadget.exe.
Size of attachment: 69,632 bytes
Target of infection: System registry

The worm sends an email message that contains one of the two following messages, depending on HTML support in the email client.
HTML-compatible email clients
http://stuart.messagemates.com/index.html
Hypercool Happy New Year 2000 funny
programs and animations...
We attached our recent animation from
this site in our mail! Check it out!

Non-HTML-compatible email clients

he, your lame client cant read HTML, haha.
click attachment to see some stunningly
HOT stuff

When the attached file is executed it displays the following error message:

The worm adds the following registry key so that it loads each time that the computer is restarted:

HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run/tpawen

The worm appears to have a payload that triggers at midnight on Dec 25, 1999. When the payload activates, it attempts to make a connection (and disconnect after a successful connection) to a specific corporate Web site on port 80 (HTTP) every three seconds. The owner of this corporate Web site has been notified. Please note the worm modifies the registry to enable autodial. This modification allows connections to the Internet to occur automatically.

On June 12, 2000, the worm tries to remove itself from the registry when certain other conditions are met. These conditions depend upon random calculations and may not always occur.

The D Version of this Worm, which appeared January 10, 2000, contains file names that refer to sexual orientations or acts. This version connects and sends hard-core porn pictures related to children and animals, and was originally sent to businesses addresses.

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

Follow the instructions in each section.

Remove files in Safe mode
Please follow these steps to remove the files that the worm has placed on the computer:

Restart the computer in Safe mode.
- Windows 95
  1. Exit all programs, and then shut down the computer.
  2. Turn off the power and wait 30 seconds. You must turn off the power to remove the virus from memory. Do not use the reset button.
  3. When you see the "Starting Windows 95" message, press F8.
  4. Type the number for Safe mode, then press Enter.
- Windows 98
  1. Click Start, and click Run.
  2. Type msconfig and then Click OK. The System Configuration Utility dialog box appears.
  3. Click the General tab, and click Advanced.
  4. Check Enable Startup Menu, click OK, and then OK again.
  5. Exit all programs, and shut down the computer.
  6. Turn off the power, and wait 30 seconds. You must turn off the power to remove the virus from memory. Do not use the reset button.
  7. Immediately press and hold down the Ctrl key.
  8. Type the number for Safe mode, and then press Enter.
Click Start, point to Find, and click Files or Folders.
Make sure that Look In points to the drive on which your Temp folder is located. In most cases, this is the drive C.
In the Named box, type the following and then press Enter:*.tmp
In the Results pane, select all of the displayed files and then press Delete. Click Yes to confirm.

NOTE: If many files have been found, select them all by clicking the File menu and then clicking Select All.
Close the Find All Files window.
Empty the Recycle Bin.

Edit the registry
Please follow these steps to undo the changes that the worm has made to the Windows registry:

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see How to back up the Windows registry, before proceeding.

Click Start, and click Run. The Run dialog box appears.
Type regedit and then click OK. The Registry Editor opens.
Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
In the right pane, locate and select the following value:

tpawen
Press Delete, and then click Yes to confirm.
Exit the Registry Editor.

Restart and scan

Restart the computer and allow it to start Windows. This will likely take longer than it normally would.
Start Norton AntiVirus (NAV), and run LiveUpdate to make sure that you have the most recent definitions.
Run a full system scan and delete any files that NAV finds are infected.