FRISK Software International

Summary of W32/Anset.A@mm
Alias:Anset, Antes, I-Worm.Anset, Worm/Anset, Ants
Length: 179Kb - 186Kb
Discovered: 24 Oct 2001
Infection Method:Infected e-mail attachments
Jump to:
Brief description
Technical description

Brief Description
Anset is a worm that appeared in the wild on 24-25th of October 2001 in Austria and Germany. The worm is a UPX-compressed Delphi file. Two variants are currently known. One variant is 186 kb, the other is 179 kb long.

Technical Description
The worm usually arrives as e-mail attachment named ANTS3SET.EXE file. When a user runs the attachment, the worm copies itself to \Windows\ directory with a random name (for example RTX.EXE or JNJSLLKE.EXE) and modifies RunOnce subkey of the following Registry key:

The RunOnce subkey contains the name and path to the worm's file. This way the worm activates itself after system reboot.

To spread itself the worm gets e-mail addresses from Outlook Address Book and from *.PHP, *.HTM, *.SHTM, *.CGI and *.PL files that it can find on local hard drives. Before spreading the worm copies itself as ANTS3SET.EXE to root folder of C: drive. Then the worm sends itself to all e-mail addresses it could find on an infected system. The infected message in both German and English looks like that:

 From:          Andreas Haak
 Subject:       ANTS Version 3.0

        Anhängend die neue Version 3.0 von ANTS, dem bislang
        einzigartigen kostenlosen Trojanerscanner. Zum
        installieren einfach die angefügte Datei ausführen.

        Attached you will find the brand new Version 3.0 of ANTS,
        the unique freeware trojan scanner. To install ANTS
        simply run the attached setup file.

	Adieu, Andreas
The worm is attached to the infected message as ANTS3SET.EXE file. The worm uses the following anonymous SMTP servers:
The Version resource of the worm states:

 CompanyName: e-brainstorm
 FileDescription: ANTS - A New Trojan Scanner
 LegalCopyright: Andreas Haak
Andreas Haak is a real person who makes scanners against trojans. According to Andreas someone used his name and name of his program to create a worm.

[Analysis: Alexey Podrezov; F-Secure Corp.; October 25th, 2001]

Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:


perComp Verlag
(in German)