Readme.exe

Readme.exe Description

Readme.exe is a malicious executable file and a key component of a mass-mailing Apost worm. When the file of the W32.Apost@mm is executed, it displays a message box with the one big button named 'Open' and 'Urgent' as caption. After a user clicks the 'Open' button, W32.Apost@mm displays a fake error message: 'WinZip SelfExtractor: Warning' and 'CRC error: 234#21'. Then W32.Apost@mm checks if it is already installed in a PC system. W32.Apost@mm looks for the Readme.exe file in Windows folder and creates it doesn't exist. Readme.exe then modifies the registry; it adds 'macrosoft' subkey to the current user's application autostartup key: The 'macrosoft' subkey includes a full path for the file of the W32.Apost@mm.

W32.Apost@mm also replicates as Readme.exe to install directories of all drives that are available for writing (local and network drives where the current user has write access). Finally, Readme.exe connects to Microsoft Outlook, gets the user's mail server login and password and copies itself by sending an infected message to all email addresses found in Outlook's address book. W32.Apost@mm's file is attached to an infected message as Readme.exe file. W32.Apost@mm will infect a remote computer only when a recepient runs the malicious attachment. Infected messages are deleted after they are sent. It is recommended to delete Readme.exe immediately upon detection to prevent infection of the W32.Apost@mm.

Technical Information

File System Details

Readme.exe creates the following file(s):
# File Name Detection Count
1 c:\readme.exe N/A
2 %ProgramFiles%\dwimn\readme.exe N/A
3 %ProgramFiles%\monrs\readme.exe N/A
4 %ProgramFiles%\versekulo\src.dll N/A
5 %Programs%\startup\massacre.exe N/A
6 %Temp%\ir_ext_temp_0\autoplay\docs\readme.exe N/A
7 %Temp%\skmw\readme.exe N/A
8 %System%\cdd\readme.exe N/A
9 %Windir%\ampatuan.exe N/A
10 %Windir%\k.exe N/A
11 %Windir%\p2p.exe N/A
12 %Windir%\regangen.exe N/A
13 c:\kernel32.exe N/A
14 %ProgramFiles%\cinvig\readme.exe N/A
15 %ProgramFiles%\microsoft update\readme.exe N/A
16 %ProgramFiles%\versekulo\readme.exe N/A
17 %ProgramFiles%\wssin\readme.exe N/A
18 %CommonPrograms%\startup\readme.exe N/A
19 %Temp%\readme.exe N/A
20 %System%\angen.exe N/A
21 %System%\serial.exe N/A
22 %Windir%\freegames2008.exe N/A
23 %Windir%\mswinxpa_sp3upd.exe N/A
24 %Windir%\readme.exe N/A
25 %Windir%\winamp.exe N/A
26 c:\67readme.exe N/A
27 %UserProfile%\readme.exe N/A
28 %ProgramFiles%\kernel32.exe N/A
29 %ProgramFiles%\skmw\readme.exe N/A
30 %ProgramFiles%\versekulo\verse.exe N/A
31 %CommonPrograms%\startup\office_viewer.exe N/A
32 %Temp%\ixp000.tmp\readme.exe N/A
33 %System%\ampatuan.exe N/A
34 %System%\readme.exe N/A
35 %Windir%\er.exe N/A
36 %Windir%\message_helpme.exe N/A
37 %Windir%\pussy_massacre.exe N/A
38 %Windir%\virus_remover.exe N/A

Registry Details

Readme.exe creates the following registry entry or registry entries:
RegistryKey
"macrosoft":="C:\Windows\readme.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]