A new mass-mailer worm, purporting to provide information about the disease anthrax, has appeared on the Internet, but is being hampered because of a flaw in its design, antivirus companies said Wednesday.
The worm has been found in both English and Spanish-language versions and arrives in inboxes with a subject line that reads “Anthrax” or “Antrax,” according to both Moscow-based Kaspersky Labs Ltd. and California’s Symantec Corp.
Included is an attachment called Antraxinfo.vbs or Antraxjpg.vbs that the message says is a picture of “the results” of Anthrax, but is actually a .VBS (Visual Basic script) file used to execute the worm, the companies said. When the file is double-clicked, the worm attempts to overwrite all system files ending in .VBS and .VBE, as well as send itself to all addresses listed in the system’s Outlook address book, they said. It may also attempt to overwrite a Script.INI file used by chat clients, Symantec said.
However, because of a flaw in the way the worm is written, the worm fails to spread as designed, both companies said.
The body text of the worm reads: “If you don’t know what antrax is or what the results of it are, please see the attached picture so that you can see the results that it has. Note: the picture might be too strong.”
In Spanish the worm says, “Si no sabes que es el antrax o cuales son sus efectos aqui te mando una foto para que veas los efectos que tiene. Nota: la foto esta un poco fuerte.”
The design of the worm’s message attempts to play upon heightened public awareness in the United States about anthrax after a rash of infections and scares about the disease in the last week.
One person in Florida has died from the inhalation form of anthrax, while 13 in New York and Florida have tested positive to exposure, although some of those tests may yet turn out to be negative because preliminary tests can result in false positive results. Four confirmed cases of anthrax illness have been reported.
The U.S. Capitol complex, home to the House of Representatives and the Senate, closed Wednesday, and will remain so until next Tuesday so that it can be checked for anthrax bacteria spores.
A wing of a U.S. Senate office building was closed Tuesday and authorities started screening and treating hundreds of people there for possible exposure after test results on a letter sent to Senate Majority Leader Tom Daschle came back positive for anthrax.
Kaspersky, in Moscow, is at http://www.kaspersky.com/.
Symantec, in Cupertino, Calif., is at http://www.symantec.com.
