Warning - Internet worm.

2nd April 2007, 15:05
My security system has flagged up the following today. Please take note.

"An Internet worm using the new zero-day ANI exploit has been found. It modifies HTML pages to contain a link to a malicious ANI file. It also tries to spread via USB sticks and Chinese Language emails."

I do not understand what an ANI file is but just to warn the SN crew.


2nd April 2007, 15:53
A Trojan is being spread through Skype.It is a variant of the Warezov/Stration virus.
Skype users receive a message from a contact giving the address of a website suggesting that they check the page out.
When the page is visited they are asked to download and install a file. The file contains the Trojan.


non descript
2nd April 2007, 17:06
Thank you for the update - the entire BT Server network appears to be grinding to a halt through overload, it would possibly be a direct result of this virus attack.

Our email traffic has slowed to snail pace and BT just says "we have a problem with our servers" - now we can see why thanks to this.

3rd April 2007, 10:01
Thanks for the warning hawkeye. our server here is incredibly slow at the moment.
I have Skype but very rarely use it. think i will dump it now. thanks again mate.

3rd April 2007, 19:18
DLL's handling of Windows animated cursor (.ani) files that will allow a remote attacker to reliably overwrite the stack with arbitrary data and execute ...ANI is an animatedChinese Internet Security Response Team is reporting on a new worm using the ANI exploit to spread.

This is real and we've confirmed it: however, we've only received six customer reports so far.

We detect the main worm file as Trojan-Downloader.Win32.Agent.bkp and the files downloaded by the worm mostly as different variants of Trojan-PSW.Win32.OnLineGames.

The worm tries to locate all HTML files from the system and modifies them to insert a script that loads an ANI file from macr.microfsot.com. When such web page's files are viewed or uploaded to a web server, they will spread the infection further.

In addition to spreading via the ANI exploit, it also tries to spread via USB stick and other removable media.

An easy way to confirm an infection is the existence of tool.exe and autorun.inf in the root of every drive, or sysload3.exe dropped to the SYSTEM32 folder. Sysadmins can monitor their outgoing e-mail to spot this. Mails sent to addresses like 578392461@qq.com, 47823@qq.com, or 3876195@qq.com would indicate an infection. hope this helps as it show vunerablity in microsoft xp and vista software this is reported by F>Secure and other spyware sites

5th April 2007, 22:40
To us mere mortals, is there anything we can do to stop the cursor being manipulated by outside web pages or code? I had already decided to delete all references to skype from my laptop, and I intend to do the same with my new pc, when I get it up and running.
Best Wishes, Raymond

5th April 2007, 23:21

You need to be careful not to over-react to this sort of thing.

Make sure you have a decent Anti-virus program and that you get regular (I mean daily) updates automatically installed. And also make sure you have a decent spyware programme installed and have it scan your machine regularly. I have never had a problem with viruses, worms etc. since doing this. Though I am still cursed with spam, this can be lived with.

Skype is a useful tool - though if you don't use it you might as well delete it. Though on the other hand if you don't use it you ain't gonna be hit in this way anyway.

There are far more attacks that exploit holes in the Windows operating system and other programs; if you stop using everything is vulnerable you might as will give up using computers altogether. There are even attacks on Linux systems now so nothing is 100% safe.



6th April 2007, 01:35
Thank you Brian, sound advice, I do have all manner of security software in force, firewall, anti everything, especially the HOSTS file; it is just that I do object to my set up being taken over by any site, and that includes altering my cursor and browser colours and so on. From what I understood, html files are altered, allowing the nasty piece of work on to anyone that visits the html page? I just wish these people would channel their obvious intelligence and talent into something useful instead of destroying a step towards the Noosphere. Best Wishes, Raymond

9th November 2014, 01:59
not being a computer buff is there no easy way of getting rid of this Chinese crap i do have viper antivirus installed which is up there with the best and gets good reviews in computer mags thanks chasH

9th November 2014, 07:25
If you look at the date of the thread (2007) AV programs have come a long way since then, I doubt that you have anything to worry about.