Worm_anig.b

WORM_ANIG.B is a non-destructive, memory-resident worm that is currently spreading in-the-wild. It propagates by dropping copies of itself in shared network drives. This malware steals logon information via a keylogger, and saves the logon informatIon in a file that can be retrieved by a remote user. This malware runs on Windows NT, 2000, and XP.

Upon execution, this memory-resident worm drops a copy of itself using the file name NTOSA32.EXE in the Windows system folder. It creates a registry entry that allows it to automatically execute at every system startup. It adds another registry entry that allows it to execute as a service each time Windows starts. It uses “Disdributed File Controller” as its service display name.

TThis malware propagates via shared network drives. It attempts to copy itself as the file \ADMIN$\System32\NTOSA32.EXE. It also sets up a keylogger component, drops the file NTGINA.DLL in the Windows system folder, and then creates a registry entry. This added registry entry also allows this worm to steal logon information. It saves the gathered data in the file NTKBH32.DLL, which can be found in the Windows system folder. It also listens to TCP port 5190 where it waits for remote commands, and attempts to use ICQ sessions to communicate with a malicious user.

If you would like to scan your computer for WORM_ANIG.B or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

WORM_ANIG.B is detected and cleaned by Trend Micro pattern file #856 and above.