Anset is a worm that appeared in the wild on 24-25th of October 2001 in Austria and Germany. The worm is a UPX-compressed Delphi file. Two variants are currently known. One variant is 186 kb, the other is 179 kb long.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
The worm usually arrives as email attachment named ANTS3SET.EXE file. When a user runs the attachment, the worm copies itself to \Windows\ directory with a random name (for example RTX.EXE or JNJSLLKE.EXE) and modifies RunOnce subkey of the following Registry key:
The RunOnce subkey contains the name and path to the worm's file. This way the worm activates itself after system reboot.
To spread itself the worm gets email addresses from Outlook Address Book and from *.PHP, *.HTM, *.SHTM, *.CGI and *.PL files that it can find on local hard drives. Before spreading the worm copies itself as ANTS3SET.EXE to root folder of C: drive. Then the worm sends itself to all email addresses it could find on an infected system. The infected message in both German and English looks like that:
From: Andreas Haak[firstname.lastname@example.org] Subject: ANTS Version 3.0 Reply-To: email@example.com Body: Hi, Anhangend die neue Version 3.0 von ANTS, dem bislang einzigartigen kostenlosen Trojanerscanner. Zum installieren einfach die angefugte Datei ausfuhren. Attached you will find the brand new Version 3.0 of ANTS, the unique freeware trojan scanner. To install ANTS simply run the attached setup file. Adieu, Andreas firstname.lastname@example.org http://www.ants-online.de
The worm is attached to the infected message as ANTS3SET.EXE file. The worm uses the following anonymous SMTP servers:
18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 toad.com 220.127.116.11 18.104.22.168
The Version resource of the worm states:
CompanyName: e-brainstorm FileDescription: ANTS - A New Trojan Scanner LegalCopyright: Andreas Haak
Andreas Haak is a real person who makes scanners against trojans. According to Andreas someone used his name and name of his program to create a worm.
F-Secure Anti-Virus detects this worm with the from 24th of October 2001.