Users login

Create an account »


Users login

Home » Hacking News » New Anset Worm Poses As Helpful Trojan Sweeper

New Anset Worm Poses As Helpful Trojan Sweeper

by Majik on October 26th, 2001 Anti-virus companies are warning PC users about a new Internet worm that arrives disguised as a helpful Trojan clean-up tool. And, while the worm experts are calling Anset is not particularly harmful, they say it may be able to spread relatively quickly via e-mail.

The Symantec Security Response team reported that Anset (W32.Anset.Worm and at least two other variations) arrives as an e-mail attachment, billing itself as a freeware scanner called ANTS that is capable of scanning Windows-based systems for rogue Trojan programs.

However, the attached file - Ants3set.exe - is a Trojan itself and, when run, releases a worm that attempts to send more copies to contacts found in the address book of Microsoft Outlook Express users.

E-mail bearing the Anset payload can arrive with the subject line "ANTS Version 3.0" and contains explanatory text in both German and English. The English version reads:

"Attached you will find the brand new Version 3.0 of ANTS, the unique freeware Trojan scanner. To install ANTS simply run the attached setup file."

Symantec said that the worm appears to have been written using the popular Delphi development platform, which is designed to help rapidly create Windows-compatible applications.

In addition to mailing copies of itself via Outlook, Anset also makes a copy of itself in the root Windows installation folder, saving its code in a randomly generated file name. reported that Anset then creates an entry in the Windows registry that is designed to cause the new copy of the worm in the Windows directory to run the next time the system is rebooted. pointed out that the next execution of the worm is likely to create another randomly named file in the Windows directly, and another corresponding registry entry.

McAfee also reported that Anset has the ability to communicate directly with mail servers rather then relaying on Outlooks own mail-transfer capabilities.

The worm attempts to connect to the SMTP server found in the users Outlook settings. Alternatively, it can use the addresses of more than a half-dozen apparently open-relay servers that are included in its own code.

However, reported that the worm has bugs that can cause it to fail while attempting to send mail.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »