October 17, 2001
Spreading on the Internet?
By Thor Olavsrud
firms Tuesday warned that two worms have been discovered in the wild that attempt to play on recipients' fears concerning
Anthrax. However, the firms also gave the worms a low threat assessment, noting that fatal bugs keep either worm from propagating
The e-mails that deliver the worms are both written in Spanish, and were created using the "VBSWG"
virus generator that has been used to create other script-viruses in the "Lee" family of viruses, including the wide-spread
Anna Kournikova worm. The e-mails arrive with the subjects "Informacion Sobre El Antrax," or "Antrax Info."
Russian security firm Kaspersky Labs said both worms can be delivered to computers via IRC channels
(possibly under the client names mIRC or pIRCh), and that in all cases the infected files have the names ANTRAXINFO.VBS or
Symantec said the body of one of the e-mails, in translation, says, "If you don't know what anthrax
is or what the results of it are, please see the attached picture so that you can see the results that it has. Note: the picture
might be too strong."
Kaspersky Labs said that when an infected file is launched, the worms destroy all files on a computer
with the VBS and BVE extensions and write their own copies instead. They also attempt to send copies of themselves, via MAPI
e-mail, to all listings in the victim's Microsoft Outlook address book, but fail due to bugs in the script.
"Detailed analysis of the worm's code has revealed that fatal bugs keep both worms from propagating
successfully," said Denis Zenkin of Kaspersky Labs. "However, it is highly possible that similar worms, with a more capable
malicious program posing as the aforementioned subject, could appear in the future. Due to this fact, Kaspersky Labs recommends
that users not open any attached files in which "anthrax" (or, "antrax" in Spanish) is mentioned."
17/10/2001 Anthrax E-mail Worm Poses Little Threat -
We knew this would happen sooner
or later: some script kiddie thought it'd be clever to create a worm that exploits the latest Anthrax scare. Formally known
as "VBS.VBSWG.AF", this new worm is attached to e-mails with the subject "Antrax" [sic] and a message body written in Spanish.
The attachment is a .vbs script that tries to overwrite system files and e-mail itself to all the contacts in your Outlook
address book. But fortunately, the Anthrax worm has a coding error which impairs its ability to spread, so it isn't expected
to cause widespread damage. Also, most anti-virus scanners will already detect it since it was created with the popular VBS
Worm Generator program.