Anker.A

GO TO: Summary | Removal | Technical Details

Classification

Category:

Malware

Type:

Worm

Platform:

W32

Aliases:

Anker.A, Email-Worm.Win32.Anker.a, W32.Ahker.B@mm

Summary

Anker is a simple email worm that spreads itself inside a ZIP archive. The archive is downloaded from the Geocities webserver (from one of user accounts) just before spreading.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

The worm is written in Visual Basic. Its file is a UPX-packed PE executable 13824 bytes long. The unpacked worm's file size is over 61 kilobytes.

Installation to system

When the worm's file is run, it copies itself to Windows directory as SERVICES.EXE file and creates startup keys for this file in System Registry:

[HKLM\Software\Microsoft\windows\CurrentVersion\Run

"Norton Auto-Protect" = "SERVICES.EXE"

[HKLM\software\microsoft\windows\currentversion\runservices-]

"Windows Service" = "SERVICES.EXE"

[HKLM\software\microsoft\windows\currentversion\windowsupdate]

"auto update" = "SERVICES.EXE"

[HKLM\software\microsoft\windows\currentversion\app paths

"LUALL.exe" = "SERVICES.EXE"

[HKCR\txtfile\shell\open\command]
@ =
 "SERVICES.exe %1"

The worm also creates keys in the Registry that contain its name, version, source language, virus writer hadle and features list.

Additionally the worm copies itself to startup folders of all users.

The worm creates a text file named 'Norton AntiVirus.txt' in the root folder of C: drive and writes the following text there:

Script Blocking: Disabled

Spreading in emails

The worm spreads itself in email messages. It reads Outlook Address Book and sends an email with its attached file to all found email addresses. The worm sends the following message:

Subject:

Service Pack 2 BUG!!

Body:

Dear user I have been informed that there was a BUG in Windows

Service Pack 2 which was fixed I recommend you to download this

Patch version which will fix the bug and keep your system safe.

You will find the Patch file in the attachment, feal free to
send it to anyone.

I'll be in touch with you as soon as another bug is found.

Regards,
A.H

Attachment:

Fix_SP2.zip

The attachment is a ZIP archive with the worm's file named 'Fix_SP2.exe'. This ZIP archive is downloaded by the worm from an account on Geocities webserver before spreading. To get infected, a user has to extract and run the worm's file.

Payload

The worm modifies HOSTS file to block access to certain websites. The addresses of these websites are changed to localhost (127.0.0.1). Here's the list of the websites that the worm blocks access to:

www.symantec.com

www.microsoft.com

www.wwe.com

www.rohitab.com

www.coderheaven.com

www.astalavista.com

www.google.com

www.yahoo.com

www.msn.com

www.messenger.msn.com

www.geocities.com

www.worldsex.com

www.cnn.com

www.gamerevolution.com

www.hackers.com

www.fbi.gov

www.hotmail.com

www.norton.com

www.idm.com

Additionally the worm modifies the Registry affecting security settings (firewall, autoupdate, anti-virus disable notifications, etc.). Also System Restore, 'Run' option in the Start Menu, Registry Tools and Task Manager get disabled. Certain applications are not allowed to run any more:

Write

Notepad

Regedit

Wordpad

Wuauctl

Wupdmgr

MSN Messenger

The worm tries to change computer name, ProdictID of Windows and Internet Explorer to "Agent Hacker".

The worm also runs TASKKILL application to kill certain processes.