F-Secure Virus Descriptions : Anker.A
[Summary] | [Detailed Description] | [Detection]
Anker is a simple e-mail worm that spreads itself inside a ZIP
archive. The archive is downloaded from the Geocities webserver
(from one of user accounts) just before spreading.
The worm is written in Visual Basic. Its file is a UPX-packed PE
executable 13824 bytes long. The unpacked worm's file size is
over 61 kilobytes.
Installation to system
When the worm's file is run, it copies itself to Windows
directory as SERVICES.EXE file and creates startup keys for this
file in System Registry:
[HKLM\Software\Microsoft\windows\CurrentVersion\Run
"Norton Auto-Protect" = "SERVICES.EXE"
[HKLM\software\microsoft\windows\currentversion\runservices-]
"Windows Service" = "SERVICES.EXE"
[HKLM\software\microsoft\windows\currentversion\windowsupdate]
"auto update" = "SERVICES.EXE"
[HKLM\software\microsoft\windows\currentversion\app paths
"LUALL.exe" = "SERVICES.EXE"
[HKCR\txtfile\shell\open\command]
@ = "SERVICES.exe %1"
The worm also creates keys in the Registry that contain its name,
version, source language, virus writer hadle and features list.
Additionally the worm copies itself to startup folders of all
users.
The worm creates a text file named 'Norton AntiVirus.txt' in the
root folder of C: drive and writes the following text there:
Script Blocking: Disabled
Spreading in E-mails
The worm spreads itself in e-mail messages. It reads Outlook
Address Book and sends an e-mail with its attached file to all
found e-mail addresses. The worm sends the following message:
Subject:
Service Pack 2 BUG!!
Body:
Dear user I have been informed that there was a BUG in Windows
Service Pack 2 which was fixed I recommend you to download this
Patch version which will fix the bug and keep your system safe.
You will find the Patch file in the attachment, feal free to
send it to anyone.
I'll be in touch with you as soon as another bug is found.
Regards,
A.H
Attachment:
Fix_SP2.zip
The attachment is a ZIP archive with the worm's file named
'Fix_SP2.exe'. This ZIP archive is downloaded by the worm from an
account on Geocities webserver before spreading. To get infected,
a user has to extract and run the worm's file.
Payload
The worm modifies HOSTS file to block access to certain websites.
The addresses of these websites are changed to localhost
(127.0.0.1). Here's the list of the websites that the worm blocks
access to:
www.symantec.com
www.microsoft.com
www.wwe.com
www.rohitab.com
www.coderheaven.com
www.astalavista.com
www.google.com
www.yahoo.com
www.msn.com
www.messenger.msn.com
www.geocities.com
www.worldsex.com
www.cnn.com
www.gamerevolution.com
www.hackers.com
www.fbi.gov
www.hotmail.com
www.norton.com
www.idm.com
Additionally the worm modifies the Registry affecting security
settings (firewall, autoupdate, anti-virus disable notifications,
etc.). Also System Restore, 'Run' option in the Start Menu,
Registry Tools and Task Manager get disabled. Certain
applications are not allowed to run any more:
Write
Notepad
Regedit
Wordpad
Wuauctl
Wupdmgr
MSN Messenger
The worm tries to change computer name, ProdictID of Windows and
Internet Explorer to "Agent Hacker".
The worm also runs TASKKILL application to kill certain
processes.
Detection for this malware was published in the following
F-Secure Anti-Virus updates:
[FSAV_Database_Version]
Version=2005-01-24_01
Technical Details:
Alexey Podrezov, February 2nd, 2005;
F-Secure Corporation
|
![](/images/pixel.gif"){kind=tracking}
