RealTime IT News

Anthrax Spreading on the Internet?

Security firms Tuesday warned that two worms have been discovered in the wild that attempt to play on recipients' fears concerning Anthrax. However, the firms also gave the worms a low threat assessment, noting that fatal bugs keep either worm from propagating successfully.

The e-mails that deliver the worms are both written in Spanish, and were created using the "VBSWG" virus generator that has been used to create other script-viruses in the "Lee" family of viruses, including the wide-spread Anna Kournikova worm. The e-mails arrive with the subjects "Informacion Sobre El Antrax," or "Antrax Info."

Russian security firm Kaspersky Labs said both worms can be delivered to computers via IRC channels (possibly under the client names mIRC or pIRCh), and that in all cases the infected files have the names ANTRAXINFO.VBS or ANTRAX.JPG.VBS.

Symantec said the body of one of the e-mails, in translation, says, "If you don't know what anthrax is or what the results of it are, please see the attached picture so that you can see the results that it has. Note: the picture might be too strong."

Kaspersky Labs said that when an infected file is launched, the worms destroy all files on a computer with the VBS and BVE extensions and write their own copies instead. They also attempt to send copies of themselves, via MAPI e-mail, to all listings in the victim's Microsoft Outlook address book, but fail due to bugs in the script.

"Detailed analysis of the worm's code has revealed that fatal bugs keep both worms from propagating successfully," said Denis Zenkin of Kaspersky Labs. "However, it is highly possible that similar worms, with a more capable malicious program posing as the aforementioned subject, could appear in the future. Due to this fact, Kaspersky Labs recommends that users not open any attached files in which "anthrax" (or, "antrax" in Spanish) is mentioned."