Class Email-Worm
Platform Win32

Technical Details

This is a virus-worm that spreads via Internet channels attached to e-mail
messages as the SUPPL.DOC MS Word97 document. It was posted to several
newsgroups in September 1999. This document was created by using the Russian MS
Word97 edition, which means that the worm has Russian or xUSSR origin.

To install itself to the system, the worm uses a method that does not work
under WinNT, and as a result, the worm is able to infect and spread itself from
Win9x systems only.

The worm has a very dangerous payload: in one week after infecting a
computer, the worm erases, on local and remote drives, the files with
the following extensions:


The method of erasing is the same that was used by
worm, and damaged files are not recoverable.


The infected document has just one macro Document_Open that is
automatically executed when MS Word opens the document. This macro copies
its document to the Windows system directory with the ANTHRAX.INI name,
then drops its DLL component (that is stored in the infected document) to
the same directory with the DLL.TMP name. This DLL component is dropped via
a compressed temporary DLL.LZH file.

The worm then adds renaming instructions to the WININIT.INI file. These
instructions rename the WSOCK32.DLL with WSOCK33.DLL name and replace the
WSOCK32.DLL with worm’s DLL.TMP library. This trick causes Windows to
replace its WSOCK32.DLL with a worm copy upon the next Windows restart.

On initializing its DLLs Windows loads infected (worm’s) DLL instead of
original ones, and as a result, the worm gets access to network functions.


On next Windows restart, the infected WSOCK32.DLL is loaded into the system
memory and gets control. The worm at this moment gets access and intercepts
all necessary library functions that the original WSOCK32 library does. For
all of them except two, the worm just forwards requests to original
functions, and for this purpose, the worm also loads the WSOCK33.DLL
(original library) into the Windows memory.

The two functions are processed by the virus: their names are “send” and
“connect”. By using these functions, the worm intercepts sent emails from the infected computer, and attaches its copy to these e-mails as the