1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
    4. I-Worm.Atak.b

I-Worm.Atak.b

Summary

A variant of the Atak worm was found on Friday 16th of July. It includes a list of security software it will attempt to terminate if found and composes more elaborate emails. It also performs a DDoS attack against www.techtv.com

Detailed Description

The worm will create a mutex named "SloperV2mtx-e-Machine" to avoid running more than once simultaneously.

It will copy itself to: 

 %SysDir%\SVRHOST.EXE


Where %SysDir% is the local Windows System folder. First the worm attempts to create the file and then deletes it, finally copying itself to such location.



It will add an entry to the win.ini file using the Windows API call WritePrivateProfileStringA from the Kernel32.dll. The entry will have the form: 

 [windows]
 load="%SysDir%\SVRHOST.EXE"


Which will make Windows execute the worm on startup.



This variant also attempts to find out whether there's a debugger loaded, if one is found the following string is shown in a message box: 

 lol! try to dig me?


As in the previous variant, the following string is contained within the worm's body: 

 -={ 4tt4(k 4g4!n$t N3tSky, B34gl3, MyD00m, L0vG4t3, N4ch!, Bl4st3r }=-


Some of the worm's text strings are scrambled by doing a logical NOT operation on each of their characters.

Email spreading

The messages will have any of the following subjects: 

 dont understand!!
 (disappear)
 (empty)
 what the tuut!!
 hurry up !!!
 got my file!
 big ears!
 home sweet home!?
 rate this!
 ginie file!
 wrong file!
 huh!
 you again!
 I know you!!
 always smile ;-D
 gotcha! ;-)
 happy!
 vote me again!
 thank for the idea
 Fwd:
 Re:
 hi!
 Warning!
 Report
 interesting
 hmmm..
 varios
 keep plz!
 known issue
 the sender
 History
 Top 10 Hoax!
 Keep Up to date
 Familiar
 New Website
 Your Account
 Reserved for you
 Product Update
 greet
 bad news
 happy go lucky
 plz help us
 helo
 Expected!




The worm will collect e-mail address from files with extensions: 

 .wab
 .adb
 .tbb
 .html
 .xml
 .cfg
 .vbs
 .msg
 .dbx
 .uin
 .jsp
 .asp
 .cgi
 .php
 .sht
 .mht
 .ods
 .log
 .htm
 .mbx
 .nch
 .eml
 .txt


The worm has its own SMTP engine which will use to deliver the infected emails.

Denial of service attack

Starting from the 8th of August the worm will attempt a DDoS attack against www.techtv.com. The worm resolves the hostname, it is not based on a hardcoded IP address.



Detection

F-Secure Anti-Virus detects Atak.b with the following update:

[FSAV_Database_Version]


Version=2004-07-16_01

Technical Details: Ero Carrera, July 16th, 2004;

F-Secure Corporation