Skip to main content

Choose your country

Anito.A

Classification

Category:

Malware

Platform:

W32

Type:

Email-worm

Aliases:

  • Anito.A

Summary

This description is for two detections: Email-Worm:W32/Anito.A and Worm:W32/Anito.A.

Email-Worm:W32/Anito.A is an email worm and a file infector. It sends out email messages with a URL to a malicious file that contains the recently discovered (March/April 2007) ANI exploit. The worm also drops another malware, a worm and trojan-downloader that we detect as Worm:W32/Anito.A. This worm is similar to the one that we detect as Trojan-Downloader.Win32.Agent.bky and Worm.Win32.Diska.c.

Worm:W32/Anito.A is a worm, a file infector and a trojan-downloader. It infects HTML files with a small script that downloads a file with a recently discovered ANI file exploit. Also EXE files get infected. The worm also spreads to remote drives, modifies the HOSTS file, and downloads more malicious files onto an infected computer.

Removal

Technical Details

Email-Worm:W32/Anito.A

After the worm's file is run, it copies itself as sysload3.exe into the Windows System folder and creates a startup entry for the copied file in the Registry:
  • [HKCUSoftware\Microsoft\Windows\CurrentVersion\Run]"System Boot Check" = "%WinSysDir%/sysload3.exe"
This is done to ensure that worm starts every time Windows is loaded. After installation the worm starts Internet Explorer and Notepad and injects a part of its code into those processes. That code creates two remote threads that create mutexes named "MyDownload" and "MyInfect".
The first remote thread connects to the Internet and downloads a configuration file named css.css from a website. The file is saved locally with the name config.ini. The configuration file contains URLs to the following:
  • More malicious files that are downloaded and executed
  • Data to replace the local HOSTS file
  • An updated copy of the worm
  • A site to collect statistics about the worms spread
The worm downloads and runs additional files, replaces the Windows HOSTS file with the one downloaded from Internet, downloads an updated copy of itself, and opens a statistics URL in Internet Explorer.
Then this remote thread tries to send out email messages. It reads SMTP server settings from a downloaded configuration file or uses hard-coded settings (the "smtp.sohu.com" server is used in this worm variant). The email messages sent by the worm are in Chinese. They contain a URL to the HTML page that points to a file with the recently discovered ANI exploit. (March/April 2007).
The second remote thread creates and runs the original EXE file in case the worm started from an infected file. Then it scans local and remote drives from Z: to B: for files with .EXE extensions and infects them if their size is in the range of 10240 and 10485760 bytes. The worm prepends to the found EXE files and "borrows" their icons. So besides the file size increase, this change remains unnoticed to a user.
In addition the worm scans files with the following extensions:
  • .ASP
  • .ASPX
  • .HTM
  • .HTML
  • .JSP
  • .PHP
It inserts a small script code into such files above. The script points to a file located at the "macr.microfsot.com" website (notice the deliberate typo!). According to the reports there was a file with the recently discovered ANI exploit there. By the time of this description's creation the site was down.
Also, the worm attempts to copy itself to removable drives together with the autorun.inf file. As a result, when an infected removable media is inserted into a computer where autostart is enabled, the worm's file gets activated and a new infection round is started.

Worm:W32/Anito.A

After the worm's file is run, it copies itself as sysload3.exe into the Windows System folder and creates a startup entry for the copied file in the Registry:
  • [HKCUSoftware\Microsoft\Windows\CurrentVersion\Run]"System Boot Check" = "%WinSysDir%/sysload3.exe"
This is done to ensure that worm starts every time Windows is loaded. After installation the worm starts Internet Explorer and Notepad and injects a part of its code into those processes. That code creates two remote threads that create mutexes named "MyDownload" and "MyInfect".
The first remote thread connects to the Internet and downloads a configuration file named css.css from a website. The file is saved locally with the name config.ini. The configuration file contains URLs to the following:
  • More malicious files that are downloaded and executed
  • Data to replace the local HOSTS file
  • An updated copy of the worm
  • A site to collect statistics about the worm's spread
The worm downloads and runs additional files, replaces the Windows HOSTS file with the one downloaded from Internet, downloads an updated copy of itself, and opens a statistics URL in Internet Explorer. After the worm replaces the HOSTS file, access is blocked to the following websites:
  • 222.73.220.45
  • 55880.cn
  • 60.169.0.66
  • 60.169.1.29
  • 61.152.169.234
  • adnx.yygou.cn
  • cc.wzxqy.com
  • cool.47555.com
  • d.77276.com
  • d.qbbd.com
  • do.77276.com
  • down.97725.com
  • i.96981.com
  • ip.315hack.com
  • ip.54liumang.com
  • mmm.caifu18.net
  • wm,103715.com
  • www.18dmm.com
  • www.41ip.com
  • www.5117music.com
  • www.54699.com
  • www.54699.com
  • www.97725.com
  • www.9cyy.com
  • www.asdwc.com
  • www.baidulink.com
  • www.down.hunll.com
  • www.f5game.com
  • www.guazhan.cn
  • www.heixiou.com
  • www.hunll.com
  • www.my6688.cn
  • www.union123.com
  • www.wu7x.cn
  • www1.cw988.cn
  • xulao.com
The second remote thread creates and runs the original EXE file in case the worm started from an infected file. Then it scans local and remote drives from Z: to B: for files with .EXE extensions and infects them if their size is in the range of 10240 and 10485760 bytes. The worm prepends to the found EXE files and "borrows" their icons. So besides the file size increase, this change remains unnoticed to a user.
Also, the worm attempts to copy itself to removable drives together with the autorun.inf file. As a result, when an infected removable media is inserted into a computer where autostart is enabled, the worm's file gets activated and a new infection round is started.
It should be noted that previous versions of this worm appended a small script to HTML files. The script pointed to a website where the recently discovered ANI exploit was located. This particular worm variant does not infect HTML files.

Protect your devices from malware with F‑Secure Total

Protecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.

  • Award‑winning antivirus and malware protection
  • Online browsing, banking, and shopping protection
  • 24/7 online identity and data breach monitoring
  • Unlimited VPN service to safe­guard your privacy
  • Password manager with private data protection

Choose how many devices you want to protect to get started.

  • Free customer support
  • Cancel anytime
  • The trial does not obligate you to buy the product
Try Total 30 days for free

After 30 days your subscription will renew automatically for one year at €69.99.

More Support

Community

Ask questions in our Community.

User guides

Check the user guide for instructions.

Contact Support

Chat with with or call an agent.

Submit a Sample

Submit a file or URL for analysis.