English
Deutsch
Francais
Español
Italian
Home
Virus Info
Worm/Anker.P
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
Worm/Anker.P - Worm
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
Worm/Anker.P
Date discovered:
02/09/2005
Type:
Worm
In the wild:
No
Reported Infections:
Low
Distribution Potential:
Medium
Damage Potential:
Low to medium
Static file:
Yes
File size:
15.872 Bytes
MD5 checksum:
0d190e489ecb8c595425eb7543ee2624
VDF version:
6.31.1.208
General
Method of propagation:
• Email
Aliases:
• Symantec: W32.Ahker@mm
• Mcafee: AgentHacker
• Kaspersky: Email-Worm.Win32.Anker.p
• TrendMicro: WORM_AHKER.J
• F-Secure: W32/Anker.G@mm
• VirusBuster: I-Worm.Anker.G
• Bitdefender: Win32.Anker.P@mm
Platforms / OS:
• Windows 98
• Windows 98 SE
• Windows ME
Side effects:
• Downloads a file
• Uses its own Email engine
• Registry modification
Files
It copies itself to the following location:
•
%WINDIR%
\Bazzi.exe
It tries to download a file:
– The location is the following:
• http://www.aliensoftware.co.uk/Files0908/MSWINSCK.OCX
It is saved on the local hard drive under:
%SYSDIR%
\MSWINSCK.OCX
Registry
The following registry key is added in order to run the process after reboot:
– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
• "Microsoft AntiSpyware"="Bazzi.exe"
The following registry keys are changed:
– [HKLM\Software\speedBit\Download Accelerator]
Old value:
• "BrowserIntegration"=
%user defined settings%
New value:
• "BrowserIntegration"=dword:00000000
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
Old value:
• "Hidden"="=
%user defined settings%
New value:
• "Hidden"=dword:00000000
Email
It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:
From:
The sender address is spoofed.
To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)
Email design:
From:
peter_parker@hotmail.com
Subject:
Returned mail
Body:
• sendmail daemon reported:
Error 804 occured during SMTP session. Partial message has been received.
From:
mariah_hillary@aol.com
Subject:
Delivery Error
Body:
• Mail transaction failed. Partial message is available.
From:
johnloke@msn.uk
Subject:
Status
Body:
• The message contains Unicode characters and has been sent as a binary attachment.
From:
bazzi@microsoft.com
Subject:
Server Report
Body:
• The message contains MIME-encoded graphics and has been sent as a binary attachment.
From:
sarah_alia@yahoo.com
Subject:
Mail Transaction Failed
Body:
• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
From:
seniormanager@byblos.com
Subject:
Mail Delivery System
Body:
• Your credit card was charged for $500 USD. For additional information see the attachment.
From:
michel_bado@gmail.com
Subject:
Do not reply to this email!
Body:
• ESMTP [Secure Mail System 334]: Secure message is attached.
From:
otacon@konami.jp
Subject:
Error
Body:
• Encrypted message is available.
From:
majortom@fbi.gov
Subject:
FWD:Hello
Body:
• You have visited illegal websites!!
I have a big list of the websites you surfed.
From:
hilton_britgette@ahker.lb
Subject:
FWD:Hey
Body:
• Bad Gateway: The message has been attached.
From:
billy@hacker.com
Subject:
There you go!
Body:
• There is the password you requested!
From:
agent@hacker.com
Subject:
Password Cracked!
Body:
• Hotmail Cracker Version 2.25 attached!
Attachment:
The filename of the attachment is:
• Message.Zip
The attachment is a copy of the malware itself.
Mailing
Search addresses:
It searches the following files for email addresses:
• doc; slk; txt; wab; htt; htm; html; ppt; hta; hte; htx; pst; shtml;
stm; asp; rtf; xml; adb; tbb; sht; dbx; uin; abc; abd; vap; abx; ade;
adp; vbs; adr; bak; bas; vcf; cfg; cgi; cls; wsh; cms; csv; ctl;
xhtml; dhtm; dsp; dsw; xls; eml; fdb; frm; hlp; imb; imh; imm; inbox;
ini; jsp; ldb; ldif; log; mbx; mda; mdb; mde; mdw; mdx; mht; mmf; msg;
nab; nch; nfo; nsf; nws; ods; oft; phtm; pmr
Process termination
The following process is terminated:
• DAP.exe
DoS
Right after it becomes active, it starts a DoS attack against the following destination:
• http://www.rohitab.com
File details
Programming language:
The malware program was written in Visual Basic.
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX
See a brief description
here
.
Description inserted by Razvan Olteanu on Mon, 05 Sep 2005 11:36 (GMT+1)
Description updated by Razvan Olteanu on Mon, 05 Sep 2005 14:16 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
Worm/Mytob.AT
Worm/Mytob.U
TR/Crypt.CFI.Gen
Worm/Netsky.J
Worm/Mytob.AD
HEUR/PDF.Obfuscated
SPR/mIRC.Gen
TR/Crypt.UPKM.Gen
JS/Dldr.Agent.cex
TR/Dldr.Tiny.bqw
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info Worm/Anker.P
Print this page
.gif)
