Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Outbreak Of Ani Worm

  • Please log in to reply
1 reply to this topic

#1 HIPPO1023


  • Members
  • 85 posts
  • Local time:02:15 PM

Posted 01 April 2007 - 07:32 AM

Chinese Internet Security Response Team is reporting on a new worm using the ANI exploit to spread.

Full Topic : ANI worm from F-Secure Weblog

BC AdBot (Login to Remove)


#2 harrywaldron


    Security Reporter

  • Members
  • 509 posts
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:03:15 PM

Posted 01 April 2007 - 01:41 PM

Thanks for sharing :thumbsup: ... copy of blog post below also ...

ANI Exploit - New Email Worms Surface

The Internet Storm Center has declared a Yellow Alert to emphasize an increased risk in HTML based email and malicious websites that could contain the new ANI exploits. Please be extra careful with email until an official patch is in place. Even plain text processing by some email clients may not be safe until Microsoft issues a new patch. AV protection can help as well as recommendations shared in the Microsoft security advisory.

Below are 3 new worms that have recently surfaced:

New Email Worm using new ANI Exploit

The Email-Worm: W32/Anito.A is an e-mail worm. It sends out e-mail messages with a URL to a malicious file that contains the recently discovered ANI exploit. The worm also drops another malware, a worm and trojan downloader that we detect as 'Worm:W32/Anito.A'. This worm is similar to the one, that we detect as 'Trojan-Downloader.Win32.Agent.bky' and 'Worm.Win32.Diska.c'.

Agent.BKY - New ANI downloader worm

Agent.BKY is a worm and a trojan downloader. It infects html files with a small script that downloads a file with a recently discovered ANI exploit. The worm also spreads to remote drives, modifies HOSTS file and downloads more malicious files onto an infected computer. This worm is dropped by the e-mail worm that we detect as 'Email-Worm:W32/Anito.A'.


Instead of the usual W32/Fujacks strings used in earlier variants, inside the virus body of each variant contain one or more of these silly messages: "I Hate AVP!!" "Well, Boss will come in !!" "I will by one BMW this year!"The W32/Fujacks.aa thread in notepad.exe then prepends itself to Win32 PE files. It may also create a copy of itself in A:\tools.exe and A:\autorun.inf to autostart itself.


Internet Storm Center - Declares Yellow Alert

Chinese Internet Security Response Team Reports ANI Worm

Microsoft Security Advisory


ANI 0-Day Exploit Info


Microsoft Windows Animated Cursor Handling Vulnerability

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users