Security Alert: trojan horse scanner pitch is really a sneaky worm -- virus protection software that infects your computer and attacks Microsoft web browser

Friday October 26 08:13 AM EDT
Trojan horse scanner pitch is a sneaky worm
By Robert Vamosi, ZDNet Reviews

An e-mail announcing a new Trojan horse scanner is itself an Internet worm that could flood e-mail servers with useless mail.

With more people all the time connected to the Internet, the danger of Trojan horses, malicious programs that communicate passwords and other private information to others on the Internet, is very real. Antset is a worm that arrives by e-mail and claims to be a Trojan horse scanner. It is not. At least three variations of Antset (W32.Anset.A@mm, W32.Anset.B@mm, and W32.Anset.C@mm) are floating around the Internet. Antset is capable only of sending multiple e-mail messages and does not damage PCs, so this worm ranks a 4 on the ZDNet Virus Meter.

How it works
Antset arrives as an e-mail solicitation for a Trojan horse scanner. The subject line reads "ANTS Version 3.0." The body text for the original worm is in German, and reads: "Hi, Anhängend die neue Version 3.0 von ANTS, dem bislang einzigartigen kostenlosen Trojanerscanner. Zum installieren einfach die angefügte Datei ausführen." The English translation reads: "Hi, attached you will find the brand new version 3.0 of ANTS, the unique freeware Trojan scanner. To install ANTS, simply run the attached setup file." The body text concludes with the following salutation "Adieu, Andreas webmaster@avnetwork.de http://www.ants-online.de." The named Web site is legitimate but contains a disclaimer regarding this worm. Antset also contains an attachment named ants3set.exe.

If a user clicks the attached file, Antset searches the Microsoft Outlook address book for addresses to which to send copies of itself, then looks for more e-mail addresses within the following file types: PHP, HTM, SHTM, CGI, and PL.

Worms like Antset usually contain a Registry key that prevents the worm from installing itself more than once. Antset does not have this feature and could produce multiple Registry entries and numerous extra files in the Windows subdirectory. Antset also has a few programming bugs that affect its ability to spread and may not function on all Windows computers.

Removal
Most antivirus software companies have updated their signature files to include this worm. For more information on removing Antset from your system, see Kaspersky,McAfee, Sophos, Symantec, and Trend Micro.

Back To The Study