Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
Worm/Anset.b opens its attachment and makes a Registry entry.
The worm looks into the Outlook Address Book and in files of type .PHP, .HTM, .SHTM, .CGI and .PL on drive C:\ for email addresses. Using its own SMTP components, it sends emails with the following structure:
Subject: ANTS Version 3.0
Body: Hi, Anhängend die neue Version 3.0 von ANTS, dem bislang einzigartigen kostenlosen Trojanerscanner. Zum installieren einfach die angefügte Datei ausführen. Adieu, Andreas firstname.lastname@example.org http://www.ants-online.de
It makes a list of available SMTP servers. It also uses the following 8 anonymous servers:
If an anonymous server is used, the worm sends itself with the sender's name "Andreas Haak" and email address "email@example.com".
If the server is not anonymous, the address is changed, so that the email could not be replyed.
Worm/Anset.b is a 179.712 Bytes file and is packed with UPX.
When the attachment ANTS3SET.EXE is activated, the worm copies an .EXE file in Windows directory with a random name.
Then it makes the following registry entry:
%variable% = "C:\%WinDIR%\%variable.EXE%
Description inserted by Crony Walker on Tuesday, June 15, 2004