The following has been derived from information provided by Central Command, Symantec, and Trend Micro.

Virus Characteristics

W32/Appix is an Internet worm that spreads through e-mail by using addresses it collects in the Windows Address Book, The Bat! address book, and through Internet Relay Chat (IRC) using it's own SMTP engine. It is a non-memory resident file-infecting worm that is compiled using Delphi. It prepends itself to files with the following extensions:

.BAT,
.COM,
.CMD,
.EXE,
.SCR,
.PIF,
.MSI
.PHP,
.PHTML,

located in the current folder, the root of C:\, and in the WINDOWS folder. It also attempts to prepend itself to open files. Finally, it appends eight bytes that contains the string "xiv" to the end of the files. The email will arrive with the following charateristics:

Subject will be one of the following:

A nice Screensaver of
Ein netter Screensaver von
New Version of
Eine neue Version von
Important!:
Wichtig!:

Followed by one of the following:

Pamela Anderson
Angelina Jolie
Anna Kournikova
Porn Screensaver
Sex ScreenSaver
TvTool
Flashget
WarezBoardAccess
Undelivarable Email
Brute Force Tool

The attachment will be one of the following:

PamAnderson.scr
Jolie.scr
AnnaKournikova.scr
XXX.scr
FreeSex.exe
TvTool.exe
FlashGet.exe
WarezBoardAccess.exe
Undelivarablemail.exe
BestTool.exe
vertrag.exe

The email message has a blank message body.

It may also arrive with the following characteristics:

Subject: Application Booster

Message: Try the Free Application Boost Pack, NOW !!!!

Attachments:
Installation Program
Installation Cleanup
Windows 9x/NT/2000 Patch Registry File


Upon execution, the worm will drop the following file into the WINDOWS folder:

APPBOOST.EXE This is a copy of the worm with properties set as a read-only, hidden and system file.
APPBOOST.REG This registry file infector is responsible for certain Control Panel modifications.
APPBOOST.VBS This is a Visual Basic Script file infector component of the worm.
APPBSVC.EXE This is another copy of the worm.

The worm will change the value "[default]" to "C:\WINDOWS\\APPBOOST.EXE "%1" %*"" of the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\open\command

It will also change the value "[default]" of the two keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

to "regedit.exe /s appboost.reg"

It will add the following vaules to
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce:

"23" = "cmd.exe /c dir /s /b C:\\*.reg > C:\\regs"
"24" = "cmd.exe /c for %x in (%Windows%\\*.reg %Windows%\\System\\*.reg %Windows%\\System32\\*.reg) do @copy \"%x %y\" + %windir%\\appboost.reg \"%x %y\" /y"
"25" = "cmd.exe /c for /F \"tokens=1*\" %x in (C:\\regs) do @copy \"%x %y\" + %windir%\\appboost.reg \"%x %y\" /y"
"26" = "regedit.exe /s appboost.reg"

The worm creates a service call "Application Boost Service".

The worm attempts to disable programs by terminating the following services:

NTIVIR
AVP32
AVPCC
NOD32
NPSSVC
NRESQ32
NSCHED32
NSCHEDNT
NSPLUGIN
NAV
NAVA
PSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
AVPM
ALERTSVC
AMON
AVP32
AVPCC
AVPM
N32SCANW
NAVWNT
ANTIVIR
AVPUPD
AVGCTRL
AVWIN95
SCAN32
VSHWIN32
F-STOPW
F-PROT95
ACKWIN32
VETTRAY
SWEEP95
PCCWIN98
IOMON98
AVPTC
AVE32
AVCONSOL
FP-WIN
DVP95
F-AGNT95
CLAW95
NVC95
SCAN
VIRUS
LOCKDOWN2000
NORTON
MCAFEE
ANTIVIR
FIREWAL
VET95
SAFEWEB
WEBSCANX
ICMON
CFINET
AVP.EXE
ZONEALARM
AMON.EXE
PCCIOMON
PCCMAIN
POP3TRAP
WEBTRAP
AVSYNMGR
NMAIN
LUALL
LUCOMSERVER
IAMAPP
ATRACK
IAMSERV
PCFWALLICON
TDS2-98
TDS2-NT
VSECOMR
NISSERV
NISUM
F-PROT
AOL

The worm searches the registry to see if mIRC is installed and modifies the MIRC.INI to send itself to other mIRC users who connect to the same channel as the infected computer if it is found.

The worm searches for email addresses in files with the following extensions:

.ABD,
.DOC,
.DOT,
.HTM,
.LOG,
.RTF,
.TBB,
.TXT,
.WAB.

It creates a registry key named "HKEY_CURRENT_USER\Software\Microsoft\Mails" to hold all the email addresses it finds in the following format:

<email address 1> 23523
<email address 2> 23523

It will change the following Control Panel registry settings:

HKEY_USERS\.DEFAULT\Control Panel\Colors

"Scrollbar" = "127 127 127"
"Background" = "0 0 0"
"ActiveTitle" = "0 255 0"
"InactiveTitle" = "0 0 0"
"Menu" = "0 0 0"
"Window" = "0 0 0"
"WindowFrame" = "0 0 0"
"MenuText" = "0 255 0"
"WindowText" = "0 255 0"
"TitleText" = "0 0 0"
"ActiveBorder" = "0 0 0"
"InactiveBorder" = "0 0 0"
"AppWorkSpace" = "0 0 0"
"Hilight" = "0 0 0"
"HilightText" = "0 255 0"
"ButtonFace" = "0 0 0"
"ButtonShadow" = "0 0 0"
"GrayText" = "0 0 0"
"ButtonText" = "0 255 0"
"InactiveTitleText" = "0 255 0"
"ButtonHilight" = "127 127 127"
"ButtonDkShadow" = "64 64 64"
"ButtonLight" = "0 0 0"
"InfoText" = "0 0 0"
"InfoWindow" = "0 255 0"
"ButtonAlternateFace" = "181 181 181"
"HotTrackingColor" = "0 255 0"
"GradientActiveTitle" = "0 0 0"
"GradientInactiveTitle" = "0 255 0"

This worm exploits a vulnerability that automatically executes the attachment in HTML format email when the message is either viewed or previewed in Microsoft Outlook and Outlook Express. More information on this vulnerability is available in the Microsoft article "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" available at the following location:

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp


Payload

Mass mailer
Registry modifications
Modification of system files
Attempts to stop Anti-virus services
Propagation through mIRC


Preventative Measures

Ensure that the following extensions are being blocked at the email gateway:

.EXE
.SCR
Ensure that all security patches have been applied.


Fixes Available

Symantec:
Virus Definitions (Intelligent Updater) October 31, 2002
Virus Definitions (LiveUpdate) November 6, 2002

Trend:
Pattern File: 374
Scan Engine: 5.200