Security firms Tuesday warned that two worms have been discovered in the wild that attempt to play on recipients’ fears concerning
Anthrax. However, the firms also gave the worms a low threat assessment, noting that fatal bugs keep either worm from propagating
successfully.
The e-mails that deliver the worms are both written in Spanish, and were created using the “VBSWG” virus generator that has been
used to create other script-viruses in the “Lee” family of viruses, including the wide-spread Anna Kournikova worm. The e-mails
arrive with the subjects “Informacion Sobre El Antrax,” or “Antrax Info.”
Russian security firm Kaspersky Labs said both worms can be delivered to computers via IRC channels (possibly under the client names
mIRC or pIRCh), and that in all cases the infected files have the names ANTRAXINFO.VBS or ANTRAX.JPG.VBS.
Symantec said the body of one of the e-mails, in translation, says, “If you don’t know what anthrax is or what the results of it
are, please see the attached picture so that you can see the results that it has. Note: the picture might be too strong.”
Kaspersky Labs said that when an infected file is launched, the worms destroy all files on a computer with the VBS and BVE
extensions and write their own copies instead. They also attempt to send copies of themselves, via MAPI e-mail, to all listings in
the victim’s Microsoft Outlook address book, but fail due to bugs in the script.
“Detailed analysis of the worm’s code has revealed that fatal bugs keep both worms from propagating successfully,” said Denis Zenkin
of Kaspersky Labs. “However, it is highly possible that similar worms, with a more capable malicious program posing as the
aforementioned subject, could appear in the future. Due to this fact, Kaspersky Labs recommends that users not open any attached
files in which “anthrax” (or, “antrax” in Spanish) is mentioned.”