Threat Description

Anset

Details

Category: Malware
Platform: W32
Aliases: Anset, Antes, I-Worm.Anset, Worm/Anset, Ants

Summary


Anset is a worm that appeared in the wild on 24-25th of October 2001 in Austria and Germany. The worm is a UPX-compressed Delphi file. Two variants are currently known. One variant is 186 kb, the other is 179 kb long.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


The worm usually arrives as e-mail attachment named ANTS3SET.EXE file. When a user runs the attachment, the worm copies itself to \Windows\ directory with a random name (for example RTX.EXE or JNJSLLKE.EXE) and modifies RunOnce subkey of the following Registry key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion]  

The RunOnce subkey contains the name and path to the worm's file. This way the worm activates itself after system reboot.

To spread itself the worm gets e-mail addresses from Outlook Address Book and from *.PHP, *.HTM, *.SHTM, *.CGI and *.PL files that it can find on local hard drives. Before spreading the worm copies itself as ANTS3SET.EXE to root folder of C: drive. Then the worm sends itself to all e-mail addresses it could find on an infected system. The infected message in both German and English looks like that:

From:
Andreas Haak[webmaster@avnetwork.de]  
Subject: ANTS Version 3.0  
Reply-To:      webmaster@avnetwork.de 
Body:  	Hi,
  Anhangend die neue Version 3.0 von ANTS, dem bislang
  einzigartigen kostenlosen Trojanerscanner. Zum
  installieren einfach die angefugte Datei ausfuhren.
  Attached you will find the brand new Version 3.0 of ANTS,
  the unique freeware trojan scanner. To install ANTS
  simply run the attached setup file. 	Adieu, Andreas 	webmaster@avnetwork.de 	http://www.ants-online.de  

The worm is attached to the infected message as ANTS3SET.EXE file. The worm uses the following anonymous SMTP servers:

200.52.69.2  200.52.69.9  193.92.94.226  12.34.208.35  195.229.189.2  toad.com  196.40.0.82  196.40.0.90  

The Version resource of the worm states:

CompanyName: e-brainstorm  FileDescription: ANTS - A New Trojan Scanner  LegalCopyright: Andreas Haak  

Andreas Haak is a real person who makes scanners against trojans. According to Andreas someone used his name and name of his program to create a worm.

F-Secure Anti-Virus detects this worm with the from 24th of October 2001.





Description Details: Analysis: Alexey Podrezov; F-Secure Corp.; October 25th, 2001


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More