Anilrgowda

Virus Profile: W32/Anis.worm

Risk Assessment - Home Users: Low - Corporate Users: Low Date Discovered: 1/3/2007 Date Added: 1/3/2007 Origin: N/A Length: N/A Type: Virus SubType: Worm DAT Required: 4931 Virus Family Statistics (over the past 30 days)

Virus Name Infected Files Scanned Files % Infected Computers Danish Tiny 15 273,295 0.00 Danish Tiny.1000 3 8,770 0.00 Danish Tiny.163a 3 8,770 0.00 Danish Tiny.163d 3 8,770 0.00 Danish Tiny.177 3 8,770 0.00 Danish Tiny.180 3 8,770 0.00 Danish Tiny.191 4 282,057 0.00 Danish Tiny.251a 3 8,770 0.00 Danish Tiny.256 4 282,057 0.00 Danish Tiny.282 3 8,770 0.00 Danish Tiny.284a 3 8,770 0.00 Danish Tiny.286 3 8,770 0.00 Danish Tiny.287 3 8,770 0.00 Danish Tiny.289 0 0 0.00 Danish Tiny.308 3 8,770 0.00 Danish Tiny.310 3 8,770 0.00 Danish Tiny.311a 3 8,770 0.00 Danish Tiny.333d 5 8,772 0.00 Danish Tiny.334 0 0 0.00 X97M/Anis 0 0 0.00 Virus Characteristics

W32/Anis.worm masquerades as Microsoft Internet Explorer executable by using an icon similar to IE.
On execution the worm tries to copy itself in C:\%Program Files%\Internet Explorer directory with the file name iexp1ore.exe. This directory also contains iexplore.exe, which is the name for Microsoft's Internet Explorer executable which is not malicious. (Please notice the difference in the names of both executables.)
It then creates shortcuts which appear to be linked to Internet Explorer but they actually invoke both the worm and Internet Explorer. So when a user opens the shortcut, Internet Explorer window opens up and also the worm process (iexp1ore.exe) is invoked in background. It adds such shortcuts in the Quick Launch toolbar and on the user's desktop. The files added for this purpose are:

• • C:\Documents and Settings\%USER%\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk
  • C:\Documents and Settings\%USER%\Desktop\Internet Explorer.lnk

The worm also drops the following file which has dll extension but is not actually a dll file. It just contains the path where the worm's executable resides.

• • C:\%Program Files%\Internet Explorer\IEKey.dll

Additionally, the worm may also drop autorun.inf file in drive root to launch the worm's executable when a user accesses the drive. This may result in the worm automatically getting executed when infected network shares are accessed.
Its code suggests that it may try to contact ÐÂÎÅÖÐÐÄÊ×Ò³_ÐÂÀËÍø.


Indications of Infection

Presence of files and behavior as mentioned above.
Method of Infection

To entice users into executing it, the worm uses the executable name iexp1ore.exe and icon similar to Microsoft Internet Explorer and also creates shortcuts to itself in the Quick Launch toolbar and on user's desktop (as described in Characteristics).
W32/Anis.worm may propagate via shared folders. It can potentially get copied to remote machines via network shares and may have dropped an autorun.inf file to automatically execute it.



Removal Instructions

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination. Additional Windows ME/XP removal considerations

Aliases

TROJ_AGENT.GCF (Trend Micro), Trojan Horse (Symantec), Worm.Win32.Agent.p (Kaspersky)