Email-Worm.Win32.Apost or Apost is a Worm that spreads through email.


Apost is a virus-worm that spreads via the Internet as an attachment to infected e-mails. Also known as Readme. The worm itself is a Windows PE EXE file about 25Kb in length and written in Visual Basic Script. The infected messages contain the following:

Subject: As per your request!
Please find attached file for your review. 
I look forward to hear from you again very soon. Thank you.
Attachment: README.EXE

The worm activates from infected e-mail only in the case when a user clicks on the attached file. The worm then installs itself to the system, runs the spreading routine, and displays two fake messages: While installing, the worm copies itself to the Windows directory with the README.EXE name and registers that file in the system registry auto-run key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run macrosoft = README.EXE

To send infected messages, the worm uses MS Outlook and sends messages to all addresses found in the Outlook address book. The worm also copies itself to the root directory of all local fixed and remote (network) drives with the same README.EXE name.






Securelist (Kaspersky Labs), Email-Worm.Win32.Apost.a

Community content is available under CC-BY-SA unless otherwise noted.