Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32 Worm Anset

Win32/Anset is a worm, written in Delphi and compressed by the utility UPX. It spreads as an email message with subject "ANTS Version 3.0" and has the file ants3set.exe attached.  The following text in German and English can be found in the message's body:

Hi,

Anhängend die neue Version 3.0 von ANTS, dem bislang einzigartigen kostenlosen Trojanerscanner. Zum installieren einfach die angefügte Datei ausführen.

Attached you will find the brand new Version 3.0 of ANTS, the unique freeware trojan scanner. To install ANTS simply run the attached setup file.

Adieu, Andreas
webmaster@avnetwork.de
http://www.ants-online.de

The text in the message informs the reader that the file in the attachment is a new version of the freeware scanner for Trojans ANTS.  This information may cause that an unsuspecting user  to open the attached file.  On basis of spreading the worm in German speaking countries this can be considered a successful attempt of using social engineering.  On the web-site  www.ants-online.de it is mentioned that ANTS 3.0 will not be introduced before February or March 2002.  When the file in the attachment is executed the worm is activated.  It copies itself under a random name into the directory where the Windows operating system is installed.  In the system registry, in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce the worm creates a key in order to be activated at the next system restart.  The worm gets addresses to spread itself from the Outlook address book and from searching through files with extensions php, htm, html, shtm, shtml, cgi and pl on the disk C:.  If the computer is connected to the Internet the worm tries to replicate.  It first creates its copy in the root directory on the disk C: with the name ants3set.exe.  The worm sends out its copy by means of the SMTP protocol without relying on the operating system.  To do so it uses the server which is configured on, the attacked computer, and one of the following relay servers, respectively:

200.52.69.2
200.52.69.9
193.92.94.226
12.34.208.35
195.229.189.2
toad.com
196.40.0.82
196.40.0.90

In the field Blind copy (BCC:) there are addresses listed that the worm sent itself to.   After spreading is insured, the file ants3set.exe is deleted.  There are several variants of this worm.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without prior permission from Eset.

PROTECT YOUR COMPUTER!
ESET's NOD32 provides comprehensive, easy-to-use, and affordable protection from today's and tomorrow's threats. We put the malware expert inside the software, so you don't have to become one.

DOWNLOAD ESET NOD32 FREE ANTI VIRUS SOFTWARE 30 DAY TRIAL

PURCHASE ESET NOD32 ANTI VIRUS SOFTWARE