I-Worm.Atak.b

The worm will create a mutex named "SloperV2mtx-e-Machine" to avoid running more than once simultaneously.

It will copy itself to:

%SysDir%\SVRHOST.EXE

Where %SysDir% is the local Windows System folder. First the worm attempts to create the file and then deletes it, finally copying itself to such location.

It will add an entry to the win.ini file using the Windows API call WritePrivateProfileStringA from the Kernel32.dll. The entry will have the form:

[windows] load="%SysDir%\SVRHOST.EXE"

Which will make Windows execute the worm on startup.

This variant also attempts to find out whether there's a debugger loaded, if one is found the following string is shown in a message box:

lol! try to dig me?

As in the previous variant, the following string is contained within the worm's body:

-={ 4tt4(k 4g4!n$t N3tSky, B34gl3, MyD00m, L0vG4t3, N4ch!, Bl4st3r }=-

Some of the worm's text strings are scrambled by doing a logical NOT operation on each of their characters.

Email spreading

The messages will have any of the following subjects:

dont understand!! (disappear) (empty) what the tuut!! hurry up !!! got my file! big ears! home sweet home!? rate this! ginie file! wrong file! huh! you again! I know you!! always smile ;-D gotcha! ;-) happy! vote me again! thank for the idea Fwd: Re: hi! Warning! Report interesting hmmm.. varios keep plz! known issue the sender History Top 10 Hoax! Keep Up to date Familiar New Website Your Account Reserved for you Product Update greet bad news happy go lucky plz help us helo Expected!

The worm will collect email address from files with extensions:

.wab .adb .tbb .html .xml .cfg .vbs .msg .dbx .uin .jsp .asp .cgi .php .sht .mht .ods .log .htm .mbx .nch .eml .txt

The worm has its own SMTP engine which will use to deliver the infected emails.

Denial of service attack

Starting from the 8th of August the worm will attempt a DDoS attack against www.techtv.com. The worm resolves the hostname, it is not based on a hardcoded IP address.