Email-Worm.Win32.Anap or Anap is a worm that spreads through email.
Anap is a virus-worm that spreads via the Internet. The worm itself is a Windows EXE file about 16Kb in length. It is transferred via the Net in e-mail messages with an infected attachment with the SETUP.EXE name. When such a message is received and the attached EXE file is executed, the worm gets control and starts its spreading routine. This routine scans a Windows temporary file and an Explorer personal folder ("My Documents" as default) for HTML and HTTP files, scans them and searches for e-mail addresses in a file body. When such addresses are located, the worm connects to the network by using SMTP protocol and sends its copy to these e-mail addresses.
The worm sends its copy to up to ten times (addresses) upon each start. It does not install itself into the system and is executed only once - when a user activates the file attached to the infected message. So, compared to other Internet worms known at the moment, this worm is the sample of "nonresident, direct action" Internet Worm.
While generating an infected e-mail, the worm fills the fields. The "from:" field has three parts, each part is randomly selected from the following variants:
Jhon Mark Bill Frank Sam Eva Carla Joan Jean Sophie M. C. T. R. Smith Woodruf Brown Steel Driver Seldon Forge Stab McAndrew Gregor
for example, "from: Sam T. Brown". The "mail from:" field is randomly selected from five variants:
<firstname.lastname@example.org>, <email@example.com>, <firstname.lastname@example.org>, <email@example.com>, <firstname.lastname@example.org>
The "Subject" field contains just one word: "Patch". The message itself contains the text:
This is the patch you asked for.
To hide its activity, the worm displays a fake error message at the end of its work:
Setup Integrity check failed due to: bad data transmision or bad disk access.
On the 5th of any month, the worm also displays the message:
i-worm.Anaphylaxis coded by Bumblebee/29a This is an i-worm. Don't worry, this is not a virus. But may occur the worm has been infected by a virus during its travel and both arrived to your computer. The way of the bee