Summary

A new variant of the Atak worm was found on Friday 3rd of December. Atak is a simple massmailer worm.

Detailed Description

The worm will create a mutex named "mtxSSS" to avoid running more than once simultaneously.

It will copy itself to:

 [CSIDL_SYSTEM]\a1g.exe

Where [CSIDL_SYSTEM] is the local Windows System folder.

It will add an entry to the win.ini file using the Windows API call WritePrivateProfileStringA from the Kernel32.dll. The entry will have the form:

 [windows]
 load="[CSIDL_SYSTEM]\a1g.exe"

Which will make Windows execute the worm on startup.

Email spreading

The messages will have any of the following subjects:

 It's begin here!
 First Match!

The message body will have the following appearance:

 Hello [%username%]

 Your request has been accepted.
 Your account info:

 >> Email: [%random string%]
 >> Password: [%random string%]

 Visit our website to get more info at: http://www.[%website%]
 NOTE: All your account information has been attached as file and ready to be printed.

The worm will collect e-mail address from files with extensions:

 log
 eml
 mht
 dbx
 asp
 php
 jsp
 htm
 txt

The worm has its own SMTP engine which will use to deliver the infected emails.

Detection

F-Secure Anti-Virus detects Atak.D with the following update:

[FSAV_Database_Version]


Version=2004-12-03_03

Technical Details: Ero Carrera, December 3rd, 2004;

F-Secure Corporation