Return-Path: <sentto-279987-3637-1004451115-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Tue, 30 Oct 2001 06:13:08 -0800 (PST) Received: (qmail 354 invoked by uid 510); 30 Oct 2001 14:11:12 -0000 Received: from n30.groups.yahoo.com (216.115.96.80) by 204.181.12.215 with SMTP; 30 Oct 2001 14:11:12 -0000 X-eGroups-Return: sentto-279987-3637-1004451115-fc=all.net@returns.onelist.com Received: from [10.1.4.53] by n30.groups.yahoo.com with NNFMP; 30 Oct 2001 14:11:55 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 30 Oct 2001 14:11:55 -0000 Received: (qmail 16619 invoked from network); 30 Oct 2001 14:11:54 -0000 Received: from unknown (10.1.10.142) by l7.egroups.com with QMQP; 30 Oct 2001 14:11:54 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta3 with SMTP; 30 Oct 2001 14:11:54 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id f9UEBwm16941 for iwar@onelist.com; Tue, 30 Oct 2001 06:11:58 -0800 Message-Id: <200110301411.f9UEBwm16941@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Tue, 30 Oct 2001 06:11:58 -0800 (PST) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Trojan.horse.scanner.pitch.is.a.sneaky.worm] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Trojan horse scanner pitch is a sneaky worm By Robert Vamosi, ZDNet Reviews, 10/29/2001 <a href="http://dailynews.yahoo.com/h/zd/20011026/tc/trojan_horse_scanner_pitch_is_a_sneaky_worm_1.html">http://dailynews.yahoo.com/h/zd/20011026/tc/trojan_horse_scanner_pitch_is_a_sneaky_worm_1.html> An e-mail announcing a new Trojan horse scanner is itself an Internet worm that could flood e-mail servers with useless mail. With more people all the time connected to the Internet, the danger of Trojan horses, malicious programs that communicate passwords and other private information to others on the Internet, is very real. Antset is a worm that arrives by e-mail and claims to be a Trojan horse scanner. It is not. At least three variations of Antset (W32.Anset.A@mm, W32.Anset.B@mm, and W32.Anset.C@mm) are floating around the Internet. Antset is capable only of sending multiple e-mail messages and does not damage PCs, so this worm ranks a 4 on the ZDNet Virus Meter. How it works Antset arrives as an e-mail solicitation for a Trojan horse scanner. The subject line reads "ANTS Version 3.0." The body text for the original worm is in German, and reads: "Hi, Anhängend die neue Version 3.0 von ANTS, dem bislang einzigartigen kostenlosen Trojanerscanner. Zum installieren einfach die angefügte Datei ausführen." The English translation reads: "Hi, attached you will find the brand new version 3.0 of ANTS, the unique freeware Trojan scanner. To install ANTS, simply run the attached setup file." The body text concludes with the following salutation "Adieu, Andreas <a href="mailto:webmaster@avnetwork.de?Subject=Re:%20(ai)%20Trojan%20horse%20scanner%20pitch%20is%20a%20sneaky%20worm%2526In-Reply-To=%2526lt;200110300647.f9U6lis25465@smtpsrv2.mitre.org">webmaster@avnetwork.de</a> <a href="http://www.ants-online.de">http://www.ants-online.de>." The named Web site is legitimate but contains a disclaimer regarding this worm. Antset also contains an attachment named ants3set.exe. If a user clicks the attached file, Antset searches the Microsoft Outlook address book for addresses to which to send copies of itself, then looks for more e-mail addresses within the following file types: PHP, HTM, SHTM, CGI, and PL. Worms like Antset usually contain a Registry key that prevents the worm from installing itself more than once. Antset does not have this feature and could produce multiple Registry entries and numerous extra files in the Windows subdirectory. Antset also has a few programming bugs that affect its ability to spread and may not function on all Windows computers. Removal Most antivirus software companies have updated their signature files to include this worm. For more information on removing Antset from your system, see Kaspersky,McAfee, Sophos, Symantec, and Trend Micro. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide! http://us.click.yahoo.com/yQix2C/33_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:58 PST