|
W32.Anset This is the
latest information that the LHRIC has recieved - 10/25/01. We
will have more available as soon as possible.
Reportedly this email-aware worm appeared in significant
numbers in
Germany last night. Sporadic reports of wider spreading have trickled
in
today. For some reason, presumably poor social engineering, the
worm does
not seem to be spreading very effectively.
The worm spreads as an email attachment named ants3set.exe,
posing as an
update for a German Trojan horse scanner.
Subject: "ANTS Version 3.0"
Message body: "Hi, anhängend findest Du die neue
Version 3.0 von ANTS, dem bislang
einzigartigen kostenlosen Trojanerscanner. Zum installieren einfach
die
angehängte Setup-Datei ausführen.
attached you will find the brand new version 3.0 of ANTS the unique
trojan
defense system. To install ANTS simply run the attached Setup-File.
Adieu, Andreas
webmaster@avnetwork.de"
A second variant replaces the text "trojan
defense system" with "freeware
trojan scanner". When the atachment is run, it checks the
Outlook address
book and files of extension .CGI, .HTM, .SHTM, .PHP and .PL to
find email
addresses to send to. It creates a randomly-named copy of itself
in the
Windows directory and creates a registry call to this from
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce.
Blocking:
Block on the attachment name "ants3set.exe"
Block on lexical analysis of the fixed text. A new worm.txt can
be
downloaded from: http://www.mimesweeper.com/support/threatlab/worm.txt
|
