The worm usually arrives as email attachment named ANTS3SET.EXE file. When a user runs the attachment, the worm copies itself to \Windows\ directory with a random name (for example RTX.EXE or JNJSLLKE.EXE) and modifies RunOnce subkey of the following Registry key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion]
The RunOnce subkey contains the name and path to the worm's file. This way the worm activates itself after system reboot.
To spread itself the worm gets email addresses from Outlook Address Book and from *.PHP, *.HTM, *.SHTM, *.CGI and *.PL files that it can find on local hard drives. Before spreading the worm copies itself as ANTS3SET.EXE to root folder of C: drive. Then the worm sends itself to all email addresses it could find on an infected system. The infected message in both German and English looks like that:
From:
Andreas Haak[webmaster@avnetwork.de]
Subject: ANTS Version 3.0
Reply-To:
webmaster@avnetwork.de
Body:
Hi,
Anhangend die neue Version 3.0 von ANTS, dem bislang
einzigartigen kostenlosen Trojanerscanner. Zum
installieren einfach die angefugte Datei ausfuhren.
Attached you will find the brand new Version 3.0 of ANTS,
the unique freeware trojan scanner. To install ANTS
simply run the attached setup file. Adieu, Andreas webmaster@avnetwork.de http://www.ants-online.de
The worm is attached to the infected message as ANTS3SET.EXE file. The worm uses the following anonymous SMTP servers:
200.52.69.2
200.52.69.9
193.92.94.226
12.34.208.35
195.229.189.2
toad.com
196.40.0.82
196.40.0.90
The Version resource of the worm states:
CompanyName: e-brainstorm
FileDescription: ANTS - A New Trojan Scanner
LegalCopyright: Andreas Haak
Andreas Haak is a real person who makes scanners against trojans. According to Andreas someone used his name and name of his program to create a worm.
F-Secure Anti-Virus detects this worm with the from 24th of October 2001.