F-Secure Virus Descriptions : W32/Atak.D@mm
[Summary] | [Detailed Description] | [Detection]
A new variant of the Atak worm was found on Friday 3rd of December.
Atak is a simple massmailer worm.
The worm will create a mutex named "mtxSSS" to avoid running more than once
simultaneously.
It will copy itself to:
[CSIDL_SYSTEM]\a1g.exe
Where [CSIDL_SYSTEM] is the local Windows System folder.
It will add an entry to the win.ini file using the Windows API call
WritePrivateProfileStringA from the Kernel32.dll.
The entry will have the form:
[windows]
load="[CSIDL_SYSTEM]\a1g.exe"
Which will make Windows execute the worm on startup.
Email spreading
The messages will have any of the following subjects:
It's begin here!
First Match!
The message body will have the following appearance:
Hello [%username%]
Your request has been accepted.
Your account info:
>> Email: [%random string%]
>> Password: [%random string%]
Visit our website to get more info at: http://www.[%website%]
NOTE: All your account information has been attached as file and ready to be printed.
The worm will collect e-mail address from files with extensions:
log
eml
mht
dbx
asp
php
jsp
htm
txt
The worm has its own SMTP engine which will use to deliver the infected emails.
F-Secure Anti-Virus detects Atak.D with the following update:
[FSAV_Database_Version]
Version=2004-12-03_03
Technical Details:
Ero Carrera, December 3rd, 2004;
F-Secure Corporation
|
