Threat Center Threats Explained Threat Encyclopedia Threat Blog Security Tips Case Studies White Papers Newsletter Signup
 

Win32 Worm Anset


This is a worm

Win32/Anset is a worm, written in Delphi and compressed by the utility UPX. It spreads as an email message with subject "ANTS Version 3.0" and has the file ants3set.exe attached.  The following text in German and English can be found in the message's body:

Hi, Anhängend die neue Version 3.0 von ANTS, dem bislang einzigartigen
kostenlosen Trojanerscanner. Zum installieren einfach die angefügte Datei
ausführen.

Attached you will find the brand new Version 3.0 of ANTS, the unique
freeware trojan scanner. To install ANTS simply run the attached setup file.

Adieu, Andreas
webmaster@avnetwork.de
http://www.ants-online.de

The text in the message informs the reader that the file in the attachment is a new version of the freeware scanner for Trojans ANTS.  This information may cause that an unsuspecting user  to open the attached file.  On basis of spreading the worm in German speaking countries this can be considered a successful attempt of using social engineering.  On the web-site  www.ants-online.de it is mentioned that ANTS 3.0 will not be introduced before February or March 2002.  When the file in the attachment is executed the worm is activated.  It copies itself under a random name into the directory where the Windows operating system is installed.  In the system registry, in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce the worm creates a key in order to be activated at the next system restart.  The worm gets addresses to spread itself from the Outlook address book and from searching through files with extensions php, htm, html, shtm, shtml, and pl on the disk C:.  If the computer is connected to the Internet the worm tries to replicate.  It first creates its copy in the root directory on the disk C: with the name ants3set.exe.  The worm sends out its copy by means of the SMTP protocol without relying on the operating system.  To do so it uses the server which is configured on, the attacked computer, and one of the following relay servers, respectively:

200.52.69.2
200.52.69.9
193.92.94.226
12.34.208.35
195.229.189.2
toad.com
196.40.0.82
196.40.0.90

In the field Blind copy (BCC:) there are addresses listed that the worm sent itself to.   After spreading is insured, the file ants3set.exe is deleted.  There are several variants of this worm.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without prior permission from Eset.

DOWNLOAD ESET NOD32 ANTI VIRUS SOFTWARE

 

 
Top of Page Back One Page Print this Page