A new variant of the Atak worm was found on Friday 3rd of December. Atak is a simple massmailer worm.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
The worm will create a mutex named "mtxSSS" to avoid running more than once simultaneously.
It will copy itself to:
[CSIDL_SYSTEM]\a1g.exe
Where [CSIDL_SYSTEM] is the local Windows System folder.
It will add an entry to the win.ini file using the Windows API call WritePrivateProfileStringA from the Kernel32.dll. The entry will have the form:
[windows] load="[CSIDL_SYSTEM]\a1g.exe"
Which will make Windows execute the worm on startup.
The messages will have any of the following subjects:
It's begin here! First Match!
The message body will have the following appearance:
Hello [%username%] Your request has been accepted. Your account info: >> Email: [%random string%] >> Password: [%random string%] Visit our website to get more info at: http://www.[%website%] NOTE: All your account information has been attached as file and ready to be printed.
The worm will collect email address from files with extensions:
log eml mht dbx asp php jsp htm txt
The worm has its own SMTP engine which will use to deliver the infected emails.