Anset is a worm that appeared in the wild on 24-25th of October
2001 in Austria and Germany. The worm is a UPX-compressed Delphi
file. Two variants are currently known. One variant is 186 kb,
the other is 179 kb long.
The worm usually arrives as e-mail attachment named ANTS3SET.EXE
file. When a user runs the attachment, the worm copies itself to
\Windows\ directory with a random name (for example RTX.EXE or
JNJSLLKE.EXE) and modifies RunOnce subkey of the following
The RunOnce subkey contains the name and path to the worm's file.
This way the worm activates itself after system reboot.
To spread itself the worm gets e-mail addresses from Outlook
Address Book and from *.PHP, *.HTM, *.SHTM, *.CGI and *.PL files
that it can find on local hard drives. Before spreading the worm
copies itself as ANTS3SET.EXE to root folder of C: drive. Then
the worm sends itself to all e-mail addresses it could find on an
infected system. The infected message in both German and English
looks like that:
From: Andreas Haak<email@example.com>
Subject: ANTS Version 3.0
Anhängend die neue Version 3.0 von ANTS, dem bislang
einzigartigen kostenlosen Trojanerscanner. Zum
installieren einfach die angefügte Datei ausführen.
Attached you will find the brand new Version 3.0 of ANTS,
the unique freeware trojan scanner. To install ANTS
simply run the attached setup file.
The worm is attached to the infected message as ANTS3SET.EXE
file. The worm uses the following anonymous SMTP servers:
The Version resource of the worm states:
FileDescription: ANTS - A New Trojan Scanner
LegalCopyright: Andreas Haak
Andreas Haak is a real person who makes scanners against trojans.
According to Andreas someone used his name and name of his
program to create a worm.
F-Secure Anti-Virus detects this worm with the from 24th of
[Analysis: Alexey Podrezov; F-Secure Corp.; October 25th, 2001]