WebCrime

ANTHRAX ON THE INTERNET

Home
THE PROFIT MOTIVE: MyDoom Redux:
MALICIOUS CODE
HORROR STORIES
SPYWARE
SPOOFING
ANTHRAX
VIRUSES BY OTHER NAMES
PROGRAMMING VIA BIOLOGICAL ENGINEERING TECHNIQUES
MYDOOM
WORMS
KEYLOGGER
SPYWARE
HYBRIDS
ANTHRAX ON THE INTERNET
ANTHRAX CHATTER
CELLPHONE VIRUS CHATTER
VIRUS CHATTER
ANTHRAX CHATTER
MICROSOFT CHATTER
"link=bacillus"
MSBLASTER
PHISHING
SWEN
FIREWALLS
TERMS GLOSSARY
MALICIOUS SCRIPTS: THE STATE OF THE ART DELIVERY METHOD
RESOURCES: FIGHTING BACK - FREE UTILITIES
CODE RED
WHAT'S IN A NAME
MICROSOFT
NIMDA
ANTHRAX-NIMDA CONNECTION
SCRIPT KIDDIES VRS ENGINEERS
THE UNLIKELY LADDS
VIRUS ALLERTS
IDENTITY THEFT
HEADS OFF
HEADSUP

 
 
boston.internet.com

October 17, 2001
Anthrax Spreading on the Internet?
By Thor Olavsrud

Security firms Tuesday warned that two worms have been discovered in the wild that attempt to play on recipients' fears concerning Anthrax. However, the firms also gave the worms a low threat assessment, noting that fatal bugs keep either worm from propagating successfully.

The e-mails that deliver the worms are both written in Spanish, and were created using the "VBSWG" virus generator that has been used to create other script-viruses in the "Lee" family of viruses, including the wide-spread Anna Kournikova worm. The e-mails arrive with the subjects "Informacion Sobre El Antrax," or "Antrax Info."

Russian security firm Kaspersky Labs said both worms can be delivered to computers via IRC channels (possibly under the client names mIRC or pIRCh), and that in all cases the infected files have the names ANTRAXINFO.VBS or ANTRAX.JPG.VBS.

Symantec said the body of one of the e-mails, in translation, says, "If you don't know what anthrax is or what the results of it are, please see the attached picture so that you can see the results that it has. Note: the picture might be too strong."

Kaspersky Labs said that when an infected file is launched, the worms destroy all files on a computer with the VBS and BVE extensions and write their own copies instead. They also attempt to send copies of themselves, via MAPI e-mail, to all listings in the victim's Microsoft Outlook address book, but fail due to bugs in the script.

"Detailed analysis of the worm's code has revealed that fatal bugs keep both worms from propagating successfully," said Denis Zenkin of Kaspersky Labs. "However, it is highly possible that similar worms, with a more capable malicious program posing as the aforementioned subject, could appear in the future. Due to this fact, Kaspersky Labs recommends that users not open any attached files in which "anthrax" (or, "antrax" in Spanish) is mentioned."

17/10/2001 Anthrax E-mail Worm Poses Little Threat -

We knew this would happen sooner or later: some script kiddie thought it'd be clever to create a worm that exploits the latest Anthrax scare. Formally known as "VBS.VBSWG.AF", this new worm is attached to e-mails with the subject "Antrax" [sic] and a message body written in Spanish. The attachment is a .vbs script that tries to overwrite system files and e-mail itself to all the contacts in your Outlook address book. But fortunately, the Anthrax worm has a coding error which impairs its ability to spread, so it isn't expected to cause widespread damage. Also, most anti-virus scanners will already detect it since it was created with the popular VBS Worm Generator program.

HOME

HOME