My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Anset.A@mm

VERY LOW
LOW
~175 Kbytes (unpacked ~436 Kbytes)
(I-worm.Anset.b)

Symptoms

-the file ants3set.exe in the root of C: drive;

Removal instructions:

If you don't have BitDefender installed click here to download an evaluation version.

1. Make sure that you have the latest updates using BitDefender Live!;

2. Perform a full scan of your system (selecting, from the Action tab, the option "Prompt
user for action"). Choose to delete all the files infected with Win32.Anset.A@mm

Analyzed By

Costin Ionescu BitDefender Virus Researcher

Technical Description:

This virus is an Internet Worm which spreads through e-mail and working under Windows platforms. The infected e-mail has the following format:

Subject:ANTS Version 3.0
Body:

Hi,

Anhängend die neue Version 3.0 von ANTS, dem bislang einzigartigen
kostenlosen Trojanerscanner. Zum installieren einfach die angefügte Datei
ausführen.

Attached you will find the brand new Version 3.0 of ANTS, the unique
freeware trojan scanner. To install ANTS simply run the attached setup file.

Adieu, Andreas
webmaster@avnetwork.de
http://www.ants-online.de


Attachment:ants3set.exe file

When the user executes the attachment, the virus installs in the system by copying itself in the Windows directory under a random name.

It creates a random-named key in:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

with the value pointing to the copied virus file.

Once installed, the worm starts its spreading routine. The virus creates a list of e-mails from Outlook's Address Book and from all the files in drive C: with the extension one of:

.php
.htm
.shtm
.cgi
.pl


where it looks for the string mailto:. Also it reads the Internet Cache and History folders from Internet Explorer settings and searches for e-mails stored in the files contained in that folders.

The virus has a list of SMTP (Simple Mail Transfer Protocol) servers where it adds the SMTP servers from user's Internet accounts (if any). The list contains the following SMTP addresses:

200.52.69.2
200.52.69.9
193.92.94.226
12.34.208.35
195.229.189.2
toad.com
196.40.0.82
196.40.0.90


To send the e-mails it creates a copy of its file in the root of C: drive with the name ants3set.exe which will be attached to the e-mails and sends directly to a SMTP server (from its list) the infected e-mails. This method is pretty undetectable by the user and also is independent from user's mail settings or programs.

Even if the user doesn't have an mail account, a simply connection to Internet will allow this worm to spread.