Threat Description

Anker.A

Details

Aliases:Anker.A, Email-Worm.Win32.Anker.a, W32.Ahker.B@mm
Category:Malware
Type:Worm
Platform:W32

Summary



Anker is a simple e-mail worm that spreads itself inside a ZIP archive. The archive is downloaded from the Geocities webserver (from one of user accounts) just before spreading.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



The worm is written in Visual Basic. Its file is a UPX-packed PE executable 13824 bytes long. The unpacked worm's file size is over 61 kilobytes.

Installation to system

When the worm's file is run, it copies itself to Windows directory as SERVICES.EXE file and creates startup keys for this file in System Registry:

[HKLM\Software\Microsoft\windows\CurrentVersion\Run  
 "Norton Auto-Protect" = "SERVICES.EXE" 
  [HKLM\software\microsoft\windows\currentversion\runservices-]  
 "Windows Service" = "SERVICES.EXE" 
  [HKLM\software\microsoft\windows\currentversion\windowsupdate]  
 "auto update" = "SERVICES.EXE" 
  [HKLM\software\microsoft\windows\currentversion\app paths  
 "LUALL.exe" = "SERVICES.EXE" 
  [HKCR\txtfile\shell\open\command]  @ = 
 "SERVICES.exe %1" 
 

The worm also creates keys in the Registry that contain its name, version, source language, virus writer hadle and features list.

Additionally the worm copies itself to startup folders of all users.

The worm creates a text file named 'Norton AntiVirus.txt' in the root folder of C: drive and writes the following text there:

Script Blocking: Disabled 

Spreading in E-mails

The worm spreads itself in e-mail messages. It reads Outlook Address Book and sends an e-mail with its attached file to all found e-mail addresses. The worm sends the following message:

Subject:

Service Pack 2 BUG!! 

Body:

Dear user I have been informed that there was a BUG in Windows  
 Service Pack 2 which was fixed I recommend you to download this  
 Patch version which will fix the bug and keep your system safe. 
  You will find the Patch file in the attachment, feal free to  send it to anyone. 
  I'll be in touch with you as soon as another bug is found. 
  Regards,  A.H 
  

Attachment:

Fix_SP2.zip 
 

The attachment is a ZIP archive with the worm's file named 'Fix_SP2.exe'. This ZIP archive is downloaded by the worm from an account on Geocities webserver before spreading. To get infected, a user has to extract and run the worm's file.

Payload

The worm modifies HOSTS file to block access to certain websites. The addresses of these websites are changed to localhost (127.0.0.1). Here's the list of the websites that the worm blocks access to:

 www.symantec.com  
 www.microsoft.com  
 www.wwe.com  
 www.rohitab.com  
 www.coderheaven.com  
 www.astalavista.com  
 www.google.com  
 www.yahoo.com  
 www.msn.com  
 www.messenger.msn.com  
 www.geocities.com  
 www.worldsex.com  
 www.cnn.com  
 www.gamerevolution.com  
 www.hackers.com  
 www.fbi.gov  
 www.hotmail.com  
 www.norton.com  
 www.idm.com 

Additionally the worm modifies the Registry affecting security settings (firewall, autoupdate, anti-virus disable notifications, etc.). Also System Restore, 'Run' option in the Start Menu, Registry Tools and Task Manager get disabled. Certain applications are not allowed to run any more:

 Write  
 Notepad  
 Regedit  
 Wordpad  
 Wuauctl  
 Wupdmgr  
 MSN Messenger 

The worm tries to change computer name, ProdictID of Windows and Internet Explorer to "Agent Hacker".

The worm also runs TASKKILL application to kill certain processes.



Detection


Detection for this malware was published in the following F-Secure Anti-Virus updates:
Detection Type: PC
Database: 2005-01-24_01



Technical Details: Alexey Podrezov, February 2nd, 2005


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

F-Secure Community

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More