W32.Anset.Worm


Aliases: I-worm.Anset, W32/Antset, W32/Anset@MM
Variants: W32/Anset-A, W32/Anset-B, I-worm.Anset.a, I-worm.Anset.b

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 24 Oct 2001
Damage: Low

Characteristics: According to computer security experts, the W32.Anset.Worm program was created using the Delphi programming language. It was designed with the capability of harvesting email addresses from the Windows Address Book. It disguises itself as a type of freeware Trojan Horse remover to trick the user into executing its payload.

More details about W32.Anset.Worm

The W32.Anset.Worm program arrives as email with the attachment Ants3set.exe. This worm spreads by sending a copy of itself to email addresses saved in the client's Microsoft Outlook address book. It disguises itself as a freeware Trojan horse scanner known as ANTS. As a mass mailing malware, the W32.Anset.Worm program does not only harvest email addresses from the Windows Address Book but also checks the contents of the cache for the Web browser. The Web browser cache is normally stored in the host machine under the Temporary Internet files. The malware usually makes use of the ANTS Version 3.0 in its subject line. Consistent with most mass mailing Worm variants, the key to its execution is for the recipient to launch the accompanying executable file attachment. The ANTS3SET.EXE file attachment is normally extracted by the W32.Anset.Worm program in the Windows directory. An accompanying Windows Registry entry is likewise created using a random text string key. Since this malware does not verify the presence of its registry key before creating it, there is a possibility that multiple instances of its registry key may exist further complicating its existence.

The W32.Anset.Worm program also possesses hard coded IP addresses that it can use to route its email messages in case the SMTP server of the infected machine cannot communicate effectively. Files using the extension PHP, SHTM, HTM, PL, and CGI are normally targeted by this malware. Aside from the Windows Registry, this malware may also place entries in the Startup folder of the Operating System in order to effectively launch at every boot up or restart event. The complexity associated with the W32.Anset.Worm program requires an updated and reliable antivirus program for complete removal from the infected machine.