

                                    SWAPOL
                                    ------

                         Version 1.01, November 2000

                Copyright (c) 2000 Sophos Plc, Oxford, England

                                www.sophos.com


1. Introduction
---------------

SWAPOL is a utility for disinfecting the W32/Apology family of viruses.

W32/Apology viruses are fast infectors, spreading quickly in the Windows
environment and often infecting system files which Sophos Anti-Virus itself
will not attempt to disinfect. SWAPOL disinfects in a two-stage process. You
must first create a report file using SWEEP.EXE, SWAPOL will then use this
file to perform the disinfection.

SWAPOL is dedicated to cleaning a specific virus family. It contains
specialised code which makes sure not only that files are disinfected, but
also that all traces of the virus have been removed from the affected files.

Details on W32/Apology-B can be found at

  http://www.sophos.com/virusinfo/analyses/w32apologyb.html

The tool these notes refer to can be found at

  http://www.sophos.com/downloads/apolsfx.exe


2. Using SWAPOL under Windows 95/98/Me
--------------------------------------

First, identify how many files are infected. If only files with one of the
names in section 4 below are present, then delete them. This may indicate
that the virus was not able to execute. Run a scan to see if the virus has
been removed.

Before using SWAPOL, we recommend that you clean-boot your computer with a
clean-boot disk that can see your CD drive. These viruses are able to spread
whenever files are accessed (they do not need to be executed to become
infected), so you need an environment in which you can be sure viruses are not
active. If you are using Windows Me you will have to clean-boot as there is no
MS-DOS mode in Windows Me.

Under Windows 95/98, if you do not have a clean boot disk available, go to the
Windows 95/98 'Shut Down...' menu (via the 'Start' button on the task bar) and
select the option 'Restart the computer in MS-DOS mode'. This closes down the
32-bit Windows 95/98 subsystem, and drops back into full-screen 16-bit DOS
mode. Because these viruses require the 32-bit subsystem, they are completely
removed from memory by this operation.

Note: opening an MS-DOS Prompt window (a 'DOS Box') under Windows 95/98 is NOT
good enough - the MS-DOS Prompt runs on top of the 32-bit subsystem.

Note:

  Since W32/Apology-B blocks the Sophos website, you will have to use an
  uninfected computer if downloading. You must use Sophos Anti-Virus version
  3.39 or higher.

If necessary, create a working directory at the command prompt:

  C:
  MD C:\SOPHTEMP
  CD C:\SOPHTEMP

Copy the SWEEP.EXE, VDL.DAT and DOS4GW.EXE files from the \TOOLS\ESD directory
on the Sophos CD (or from the Sophos Anti-Virus distribution) and APOLSFX.EXE
from the \TOOLS\UTILS directory on the Sophos CD (or downloaded from the
website) into this C:\SOPHTEMP directory.

Run APOLSFX.EXE to extract SWAPOL.EXE into the Sophtemp directory.

  APOLSFX

From the DOS prompt, run SWEEP.EXE to create a report file for SWAPOL.

Use the command:

  SWEEP *: -ALL -F -LANG=ENG -P=C:\SOPHTEMP\INFECTED.REP

The qualifier '*:' tells SWEEP.EXE to scan all local hard disks, '-LANG=ENG'
ensures that you are using the English version, '-F' uses 'Full' scan mode,
and '-ALL' scans all files. It is worth sweeping all files in case any files
have been renamed since they became infected. The qualifier
'-P=C:\SOPHTEMP\INFECTED.REP' tells SWEEP.EXE to write its report into the
file INFECTED.REP in the C:\SOPHTEMP directory.

Now feed the report file into SWAPOL, with a command such as:

  SWAPOL -RF=C:\SOPHTEMP\INFECTED.REP

The '-RF=' qualifier tells SWAPOL which report file to use for the list of
programs which need to be cleaned.

For each file listed in the report as infected, SWAPOL will prompt for
confirmation to disinfect the infected file.

If you press 'Y' for 'Yes', then SWAPOL will attempt disinfection. You should
see:

  File was disinfected

The program is now clean, with each fragment of virus code positively erased.

Once you have finished running SWAPOL, we recommend that you re-run SWEEP.EXE
to find any files which could not be disinfected.

  SWEEP *: -ALL

If infected files remain, please contact Sophos Technical Support.


3. Using SWAPOL under Windows NT/2000/XP
----------------------------------------

W32/Apology-B is not a fast infector under Windows NT/2000/XP although
infected client files and the backdoor component MTX_.EXE may be present.

To remove MTX_.EXE first shut it down: press the Ctrl, Alt and Del keys at the
same time, click on Task Manager, select the Processes tab, highlight MTX_ and
then click on End Process. This unlocks MTX_.EXE. Close Task Manager.
Delete MTX_.EXE.

Infected Windows 95/98/Me clients should be disinfected in 16-bit mode using
the instructions above. While your Windows 95/98/Me computers are not logged
on to your server, and the infected files on your Windows NT/2000/XP server
are unlocked, run SWAPOL on your server.

SWAPOL can be run in a Command Prompt window under Windows NT/2000/XP.

Since SWEEP will only work on one hard drive at a time, each drive must be
scanned separately.

From the command prompt, run SWEEP.EXE to create a report file for SWAPOL.

Where C: is your hard drive, use the command

  SWEEP C: -ALL -F -LANG=ENG -P=C:\SOPHTEMP\INFECTC.REP

SWEEP.EXE will write its report into the file INFECTC.REP in the C:\SOPHTEMP
directory.

For drive D: use the same command line replacing C: with D: and INFECTC with
INFECTD. The report will be written to the INFECTD.REP file.

Now feed the report file into SWAPOL, with the command

  SWAPOL -RF=C:\SOPHTEMP\INFECTC.REP

SWAPOL will prompt for confirmation to disinfect each infected file in turn.

If you press 'Y' for 'Yes', then SWAPOL will attempt disinfection. You should
see

  File was disinfected

That program is now clean, with the virus positively erased.

Repeat this process for the INFECTD.REP file, and the appropriate file for any
other hard drive.

When you have finished running SWAPOL, for each hard drive in turn re-run
SWEEP.EXE from the command line to find any files which could not be
disinfected.

  SWEEP C: -ALL

If infected files remain, delete them and replace them with clean versions
from the original media or a clean PC.


4. Win32/Apology attachments
----------------------------

W32/Apology is typically received as an attachment to an email which has no
body or subject. The attachment has one of the following names:

README.TXT.pif
I_wanna_see_YOU.TXT.pif
MATRiX_Screen_Saver.SCR
LOVE_LETTER_FOR_YOU.TXT.pif
NEW_playboy_Screen_saver.SCR
BILL_GATES_PIECE.JPG.pif
TIAZINHA.JPG.pif
FEITICEIRA_NUA.JPG.pif
Geocities_Free_sites.TXT.pif
NEW_NAPSTER_site.TXT.pif
METALLICA_SONG.MP3.pif
ANTI_CIH.EXE
INTERNET_SECURITY_FORUM.DOC.pif
ALANIS_Screen_Saver.SCR
READER_DIGEST_LETTER.TXT.pif
WIN_$100_NOW.DOC.pif
IS_LINUX_GOOD_ENOUGH!.TXT.pif
QI_TEST.EXE
AVP_Updates.EXE
SEICHO-NO-IE.EXE
YOU_are_FAT!.TXT.pif
FREE_xxx_sites.TXT.pif
I_am_sorry.DOC.pif
Me_nude.AVI.pif
Sorry_a bout_yesterday.DOC.pif
Protect_your_credit.HTML.pif
JIMI_HMNDRIX.MP3.pif
HANSON.SCR
FUCKING_WITH_DOGS.SCR
MATRiX_2_is_OUT.SCR
zipped_files.EXE
BLINK_182.MP3.pif


5. Support
----------

For assistance, please contact Sophos Technical Support.

  support@sophos.com


7 April 2003


                               ----------------