Spreads over email, IRC or AIM.
It sends itself as email with Microsoft Outlook, using the Outlook Address Book.
The form of the email looks like this:
The subject and body are empty.
When the attachment is opened, the worm is copied as Explorer.exe and psecure20x-cgi-install.vers.... in Windows directory and enters the following key in the registry:
The file Email.vbs is dropped in Windows system directory. This is used by the worm to send emails.
Worm/Aphex has its own IRC-Engine and so it can log on open IRC servers.
Aphex switches between various channels and sends a private message to all logged users. The private message has the following contents:
FREE PORN: http://free:firstname.lastname@example.org:8180
If the user clicks on the link, a website is displayed. If the user clicks on the link HERE on the displayed website, a download window opens. If the user chooses the "Open from current place" option, the worm Aphex infects the system.
AOL Instant Messanger (AIM)
If Worm/Aphex has infected your system, it waits for AOL Instant Messanger to be opened. Then, it sends one of the following messages to all users from the contact list:
-I wanted to show you this
-please check out
-hey go to try
-I like this
-have you seen
-btw, download this
followed by a hyperlink (see "IRC-Client"). If the user accesses this link, a website is opened, from which Worm/Aphex can be installed.
說明撰寫者 Crony Walker 開啟 2004年6月15日星期二