[ISN] Anthrax worm fails to spread on 'net

From: InfoSec News (isnat_private)
Date: Fri Oct 19 2001 - 11:21:40 PDT

  • Next message: InfoSec News: "[ISN] Lame attempt to disguise viruses as MS security update"

    Forwarded from: Nelson Murilo <nelsonat_private>
    Sam Costello, BOSTON
    A new mass mailer worm, purporting to provide information about the
    disease anthrax, has appeared on the internet, but is being hampered
    because of a flaw in its design, antivirus companies said this week.
    The worm has been found in both English and Spanish-language versions
    and arrives in inboxes with a subject line that reads "Anthrax" or
    "Antrax," according to both Moscow-based Kaspersky Labs and
    California's Symantec.
    Included is an attachment called Antraxinfo.vbs or Antraxjpg.vbs that
    the message says is a picture of "the results" of Anthrax, but is
    actually a .VBS (Visual Basic script) file used to execute the worm,
    the companies say. When the file is double-clicked, the worm attempts
    to overwrite all system files ending in .VBS and .VBE, as well as send
    itself to all addresses listed in the system's Outlook address book,
    they say. It may also attempt to overwrite a Script.INI file used by
    chat clients, Symantec says.
    However, because of a flaw in the way the worm is written, the worm
    fails to spread as designed, both companies say.
    The body text of the worm reads: "If you don't know what antrax is or
    what the results of it are, please see the attached picture so that
    you can see the results that it has. Note: the picture might be too
    strong." In Spanish the worm says, "Si no sabes que es el antrax o
    cuales son sus efectos aqui te mando una foto para que veas los
    efectos que tiene. Nota: la foto esta un poco fuerte."
    The design of the worm's message attempts to play upon heightened
    public awareness in the United States about anthrax after a rash of
    infections and scares about the disease in the last week.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Oct 19 2001 - 14:22:32 PDT