Anthrax worm fails to spread on 'net

[InfoSec News <isn () c4i org>]

Forwarded from: Nelson Murilo <nelson () pangeia com br>

http://www.idgnet.co.nz/webhome.nsf/UNID/F0EB966E15F4A1F8CC256AE9000B66B0!opendocument

Sam Costello, BOSTON

A new mass mailer worm, purporting to provide information about the
disease anthrax, has appeared on the internet, but is being hampered
because of a flaw in its design, antivirus companies said this week.

The worm has been found in both English and Spanish-language versions
and arrives in inboxes with a subject line that reads "Anthrax" or
"Antrax," according to both Moscow-based Kaspersky Labs and
California's Symantec.

Included is an attachment called Antraxinfo.vbs or Antraxjpg.vbs that
the message says is a picture of "the results" of Anthrax, but is
actually a .VBS (Visual Basic script) file used to execute the worm,
the companies say. When the file is double-clicked, the worm attempts
to overwrite all system files ending in .VBS and .VBE, as well as send
itself to all addresses listed in the system's Outlook address book,
they say. It may also attempt to overwrite a Script.INI file used by
chat clients, Symantec says.

However, because of a flaw in the way the worm is written, the worm
fails to spread as designed, both companies say.

The body text of the worm reads: "If you don't know what antrax is or
what the results of it are, please see the attached picture so that
you can see the results that it has. Note: the picture might be too
strong." In Spanish the worm says, "Si no sabes que es el antrax o
cuales son sus efectos aqui te mando una foto para que veas los
efectos que tiene. Nota: la foto esta un poco fuerte."

The design of the worm's message attempts to play upon heightened
public awareness in the United States about anthrax after a rash of
infections and scares about the disease in the last week.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.