Virus:Worm/Anker.P
Date discovered:02/09/2005
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:15.872 Bytes
MD5 checksum:0d190e489ecb8c595425eb7543ee2624
VDF version:6.31.1.208

 General Method of propagation:
   • Email


Aliases:
   •  Symantec: W32.Ahker@mm
   •  Mcafee: AgentHacker
   •  Kaspersky: Email-Worm.Win32.Anker.p
   •  TrendMicro: WORM_AHKER.J
   •  F-Secure: W32/Anker.G@mm
   •  VirusBuster: I-Worm.Anker.G
   •  Bitdefender: Win32.Anker.P@mm


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows ME


Side effects:
   • Downloads a file
   • Uses its own Email engine
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\Bazzi.exe




It tries to download a file:

– The location is the following:
   • http://www.aliensoftware.co.uk/Files0908/MSWINSCK.OCX
It is saved on the local hard drive under: %SYSDIR%\MSWINSCK.OCX

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft AntiSpyware"="Bazzi.exe"



The following registry keys are changed:

– [HKLM\Software\speedBit\Download Accelerator]
   Old value:
   • "BrowserIntegration"=%user defined settings%
   New value:
   • "BrowserIntegration"=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Old value:
   • "Hidden"="=%user defined settings%
   New value:
   • "Hidden"=dword:00000000

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)


Email design:
 


From: peter_parker@hotmail.com
Subject: Returned mail
Body:
   • sendmail daemon reported:
     Error 804 occured during SMTP session. Partial message has been received.
 


From: mariah_hillary@aol.com
Subject: Delivery Error
Body:
   • Mail transaction failed. Partial message is available.
 


From: johnloke@msn.uk
Subject: Status
Body:
   • The message contains Unicode characters and has been sent as a binary attachment.
 


From: bazzi@microsoft.com
Subject: Server Report
Body:
   • The message contains MIME-encoded graphics and has been sent as a binary attachment.
 


From: sarah_alia@yahoo.com
Subject: Mail Transaction Failed
Body:
   • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
 


From: seniormanager@byblos.com
Subject: Mail Delivery System
Body:
   • Your credit card was charged for $500 USD. For additional information see the attachment.
 


From: michel_bado@gmail.com
Subject: Do not reply to this email!
Body:
   • ESMTP [Secure Mail System 334]: Secure message is attached.
 


From: otacon@konami.jp
Subject: Error
Body:
   • Encrypted message is available.
 


From: majortom@fbi.gov
Subject: FWD:Hello
Body:
   • You have visited illegal websites!!
     I have a big list of the websites you surfed.
 


From: hilton_britgette@ahker.lb
Subject: FWD:Hey
Body:
   • Bad Gateway: The message has been attached.
 


From: billy@hacker.com
Subject: There you go!
Body:
   • There is the password you requested!
 


From: agent@hacker.com
Subject: Password Cracked!
Body:
   • Hotmail Cracker Version 2.25 attached!


Attachment:
The filename of the attachment is:
   • Message.Zip

The attachment is a copy of the malware itself.

 Mailing Search addresses:
It searches the following files for email addresses:
   • doc; slk; txt; wab; htt; htm; html; ppt; hta; hte; htx; pst; shtml;
      stm; asp; rtf; xml; adb; tbb; sht; dbx; uin; abc; abd; vap; abx; ade;
      adp; vbs; adr; bak; bas; vcf; cfg; cgi; cls; wsh; cms; csv; ctl;
      xhtml; dhtm; dsp; dsw; xls; eml; fdb; frm; hlp; imb; imh; imm; inbox;
      ini; jsp; ldb; ldif; log; mbx; mda; mdb; mde; mdw; mdx; mht; mmf; msg;
      nab; nch; nfo; nsf; nws; ods; oft; phtm; pmr

 Process termination The following process is terminated:
   • DAP.exe


 DoS Right after it becomes active, it starts a DoS attack against the following destination:
   • http://www.rohitab.com

 File details Programming language:
 The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Razvan Olteanu on Monday, September 5, 2005
Description updated by Razvan Olteanu on Monday, September 5, 2005

Back . . . .