New 'anthrax' email worm is a dud

An email worm trying to take advantage of people's fears of anthrax has flaws that make it unlikely to spread too far

A new computer worm that attempts to ride on the coattails of the anthrax scare emerged Tuesday, but numerous errors on the part of the program's author seem to have scuttled any chance the worm has to spread.

The worm is technically known as VBS.VBSWG.AF, or more colloquially as "Antrax." It was discovered in an email with a subject line that misspelled the name of the deadly anthrax disease as "Antrax." The email body also contains a message written in Spanish.

An English translation of the message provided by antivirus firm Symantec read: "If you don't know what antrax is or what the results of it are, please see the attached picture so that you can see the results that it has. Note: the picture might be too strong."

The worm is attached to the message as a Visual Basic Script (VBS) file, and had been created with the VBS Worm Generator -- the same point-and-click application that created the Anna Kournikova virus early this year.

However, this worm doesn't seem to be destined to become an Internet epidemic as was the Anna virus. First, most antivirus software can already detect worms created with the VBS Worm Generator program. Both Symantec's and NAI's antivirus software recognises the Antrax worm as a creation of that toolkit.

The backbreaker for this particular program: The script that emails the worm to every entry in a user's Microsoft Outlook address book has a flaw which prevents Antrax from spreading, the Symantec advisory said.

Anthrax -- a disease caused by bacteria that can often be fatal, especially if the spores are inhaled -- came to the public's attention as a potential bioweapon soon after the 11 September terrorist attacks on the World Trade Center and Pentagon. A photo editor at a newspaper in Boca Raton, Florida, died earlier this month after inhaling a form of anthrax, sparking concerns among many people that the sudden spread of the disease was part of a terrorist plot.

In the past two weeks, numerous envelopes containing anthrax spores have been delivered to NBC Nightly News and ABC News in New York, a Microsoft office in Nevada and Senator Tom Daschle's office in Washington D.C.

As the disease has captured the public's attention and has raised safety concerns, the author of the Antrax worm seems to have attempted to piggyback on those fears.

At least one antivirus company has publicised the worm as a threat. Central Command on Tuesday published incomplete details of the worm, indicating that it could spread by both email and the Internet relay chat (IRC) system used by people to send messages in real time.

Yet, while rival Symantec confirmed the worm could potentially spread through IRC, the company's analysis of the broken email script led it to assign the worm a threat of "1" -- the lowest rating.

Supporting the analysis, mail service provider MessageLabs, which publishes data on the email attachments captured by its security software, did not include the Antrax worm in its list of top 10 captured files for the day, indicating that it had not spread.

In addition, antivirus firm Trend Micro, which also publishes data on the most prevalent viruses cleaned from computer systems by its HouseCall program, did not list the worm.

See the Viruses and Hacking News Section for the latest headlines.

See the Net Crime News Section for the latest on hacking, fraud, viruses and related issues.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.