Chinese Internet Security Response Team is reporting on a new worm using the ANI exploit to spread.
Full Topic : ANI worm from F-Secure Weblog
Jump to content
Posted 01 April 2007 - 01:41 PM
The Email-Worm: W32/Anito.A is an e-mail worm. It sends out e-mail messages with a URL to a malicious file that contains the recently discovered ANI exploit. The worm also drops another malware, a worm and trojan downloader that we detect as 'Worm:W32/Anito.A'. This worm is similar to the one, that we detect as 'Trojan-Downloader.Win32.Agent.bky' and 'Worm.Win32.Diska.c'.
Agent.BKY is a worm and a trojan downloader. It infects html files with a small script that downloads a file with a recently discovered ANI exploit. The worm also spreads to remote drives, modifies HOSTS file and downloads more malicious files onto an infected computer. This worm is dropped by the e-mail worm that we detect as 'Email-Worm:W32/Anito.A'.
Instead of the usual W32/Fujacks strings used in earlier variants, inside the virus body of each variant contain one or more of these silly messages: "I Hate AVP!!" "Well, Boss will come in !!" "I will by one BMW this year!"The W32/Fujacks.aa thread in notepad.exe then prepends itself to Win32 PE files. It may also create a copy of itself in A:\tools.exe and A:\autorun.inf to autostart itself.
0 members, 0 guests, 0 anonymous users