NEWS FROM THE LAB - Sunday, April 1, 2007

ANI worm Posted by Mikko @ 08:40 GMT

ANI Code

Chinese Internet Security Response Team is reporting on a new worm using the ANI exploit to spread.

This is real and we've confirmed it: however, we've only received six customer reports so far.

We detect the main worm file as Trojan-Downloader.Win32.Agent.bkp and the files downloaded by the worm mostly as different variants of Trojan-PSW.Win32.OnLineGames.

The worm tries to locate all HTML files from the system and modifies them to insert a script that loads an ANI file from macr.microfsot.com. When such web page's files are viewed or uploaded to a web server, they will spread the infection further.

In addition to spreading via the ANI exploit, it also tries to spread via USB stick and other removable media.

An easy way to confirm an infection is the existence of tool.exe and autorun.inf in the root of every drive, or sysload3.exe dropped to the SYSTEM32 folder. Sysadmins can monitor their outgoing e-mail to spot this. Mails sent to addresses like 578392461@qq.com, 47823@qq.com, or 3876195@qq.com would indicate an infection.

For more information, see our description.