Related Resources • Virus Encyclopedia • Glossary of terms • Attachment Center

From Other Guides • Computer Junkies

Elsewhere on the Web • F-Secure Description

On September 3, 2001, Labor Day holiday in the U.S. and Canada, a new email virus began spreading. The virus, dubbed APost, sends itself as an attachment named Readme.exe. Legitimate Readme files are generally text only (carrying the .TXT extension and not the .EXE extension used by the virus). Readme files accompany nearly every software program distributed and serve to provide valuable installation, configuration, and compatibility information about that software. The new, viral readme.exe could cause confusion among those persons who do not have file extension viewing enabled. By default, Microsoft® has this feature turned off in Windows, likely causing many to be left unaware of the true nature of the file. The Attachments Center provides tips on turning this feature on.

Alex Shipp, Senior Anti-Virus Technologist for MessageLabs initially reported the virus and antivirus vendor Sophos quickly followed with an alert of their own. Analysis performed by Alexey Podrezov, virus researcher for F-Secure Corp indicates the APost virus arrives via an email with the following characteristics:

Subject:    As per your request!

Body:       Please find attached file for your review.
         I look forward to hear from you again very soon.  Thank you

Attachment:  readme.exe

If the readme.exe file is opened, the worm displays the following message box:

Image provided courtesy of F-Secure

If the user clicks the Open button, a second message box is displayed:

Image provided courtesy of F-Secure

The worm copies itself to the root of all local and mapped drives and sends itself to all recipients listed in the Microsoft® Outlook address book. The Sent items folder, however, will not reflect the worm's emails as they are deleted automatically after sending.

Manual removal instructions
Edit the Registry to remove the 'macrosoft' subkey from the following key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Search the root of all local and network drives, as well as floppies, for the file README.EXE and delete it.

Locate and delete the file README.EXE from the Windows directory. If the file cannot be deleted, make the registry modification noted above, reboot the system, and then delete the file.