New anthrax worm is a dud

A computer worm attempts to ride on the coattails of the anthrax scare, but multiple author errors stymie its spread.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
A new computer worm that attempts to ride on the coattails of the anthrax scare emerged Tuesday, but numerous errors on the part of the program's author seem to have scuttled any chance the worm has to spread.

The worm is technically known as VBS.VBSWG.AF, or more colloquially as "Antrax." It was discovered in an e-mail with a subject line that used the Spanish spelling--"Antrax"--of the name of the deadly anthrax disease. The e-mail body also contains a message written in Spanish.

An English translation of the message provided by antivirus firm Symantec read: "If you don't know what antrax is or what the results of it are, please see the attached picture so that you can see the results that it has. Note: the picture might be too strong."

The worm is attached to the message as a Visual Basic Script (VBS) file, and had been created with the VBS Worm Generator--the same point-and-click application that created the Anna Kournikova virus early this year.

However, this worm doesn't seem to be destined to become an Internet epidemic as was the Anna virus. First, most antivirus software can already detect worms created with the VBS Worm Generator program. Both Symantec's and NAI's antivirus software recognizes the Antrax worm as a creation of that toolkit.

The backbreaker for this particular program: The script that sends the worm via e-mail to every entry in a user's Microsoft Outlook address book has a flaw which prevents Antrax from spreading, the Symantec advisory said.

Anthrax--a disease caused by bacteria that can often be fatal, especially if the spores are inhaled--came to the public's attention as a potential bio-weapon soon after the Sept. 11 terrorist attacks on the World Trade Center and Pentagon. A photo editor at a newspaper in Boca Raton, Fla., died earlier this month after inhaling a form of anthrax, sparking concerns among many people that the sudden spread of the disease was part of a terrorist plot.

In the past two weeks, numerous envelopes containing anthrax spores were delivered to NBC Nightly News and ABC News in New York, a Microsoft office in Nevada and Sen. Tom Daschle's office in Washington, D.C.

As the disease has captured the public's attention and has raised safety concerns, the author of the Antrax worm seems to have attempted to piggyback on those fears.

At least one antivirus company has publicized the worm as a threat. Central Command on Tuesday published incomplete details of the worm, indicating that it could spread by both e-mail and the Internet relay chat (IRC) system used by people to send messages in real time.

Yet, while rival Symantec confirmed the worm could potentially spread through IRC, the company's analysis of the broken e-mail script led it to assign the worm a threat of "1"--the lowest rating.

Supporting the analysis, mail service provider MessageLabs, which publishes data on the e-mail attachments captured by its security software, did not include the Antrax worm in its list of top 10 captured files for the day, indicating that it had not spread.

In addition, antivirus firm Trend Micro, which also publishes data on the most prevalent viruses cleaned from computer systems by its HouseCall program, did not list the worm.