McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

-- Update July 14th 2004 --
The risk assessment of this threat has been raised to Low-Profiled due to media attention. The threat is refererred to as 'Atak worm ' in various articles.
--

This is a new mass-mailing worm that launches notepad.exe when executed.

This is a mass-mailing worm bearing the following characteristics:

• harvests email addresses from the victim machine
• spoofs the From: address
• constructs messages using its own SMTP engine

Mail Propagation

The worm constructs messages using its own SMTP engine. The "From" address of the email address is spoofed. The following spoofed names might be used:

• kevin
• huck
• george
• mike
• andrew
• jose

The worm searches for email addresses on the local hard disk, harvesting addresses from files with the following extensions:

• wab
• pl
• adb
• tbb
• htm
• xml
• cfg
• vbs
• msg
• dbx
• uin
• jsp
• asp
• cgi
• php
• sht
• mht
• ods
• log
• htm
• mbx
• nch
• eml
• txt

The format of the email is as follows:

Subject: (any of the following)

• (blank)
• Read the Result!
• Important Data!

Body:

• (blank)
•  Authorized Researcher Only.
  

Attachment: (random filename with any of the following extensions)

• .exe
• .zip
• .jpg
• .gif

References to these files are stored within the following key, which is also created by the worm:

•   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ =
  "load" = %SysDir%\"hint.exe"

In addition to these messages, the worm may also arrive with a random attachment name using one of the following extensions:

• .com
• .exe

Symptoms

Installation

When executed, the worm copies itself  to the %SYSDIR% folder.

Example:
  C:\WINNT\system32\hint.exe

It creates a registry key, so the file gets executed every time the machine starts:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "load" = %SysDir%\hint.exe

Method of Infection

This worm does not use any exploit code in order to execute the mail attachment automatically. A user has to doubleclick on an infected attachment to infect the machine.

In order to locate an email server to send itself out with, it prepends the email domain of the harvested email address with the following list of prefixes:

• gate.
• ns.
• relay.
• mail1.
• mxs.
• smtp.
• mail.
• mx-a.mail.
• bjmx.
• mta.
• mx4.mail.
• mx3.mail.
• mx2.mail.
• mx1.mail.
• mx4.
• mx3.
• mx2.
• mx1.
• mx.

Removal

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

-- Update July 14th 2004 --
The risk assessment of this threat has been raised to Low-Profiled due to media attention. The threat is refererred to as 'Atak worm ' in various articles.
--

This is a new mass-mailing worm that launches notepad.exe when executed.

This is a mass-mailing worm bearing the following characteristics:

• harvests email addresses from the victim machine
• spoofs the From: address
• constructs messages using its own SMTP engine

Mail Propagation

The worm constructs messages using its own SMTP engine. The "From" address of the email address is spoofed. The following spoofed names might be used:

• kevin
• huck
• george
• mike
• andrew
• jose

The worm searches for email addresses on the local hard disk, harvesting addresses from files with the following extensions:

• wab
• pl
• adb
• tbb
• htm
• xml
• cfg
• vbs
• msg
• dbx
• uin
• jsp
• asp
• cgi
• php
• sht
• mht
• ods
• log
• htm
• mbx
• nch
• eml
• txt

The format of the email is as follows:

Subject: (any of the following)

• (blank)
• Read the Result!
• Important Data!

Body:

• (blank)
•  Authorized Researcher Only.
  

Attachment: (random filename with any of the following extensions)

• .exe
• .zip
• .jpg
• .gif

References to these files are stored within the following key, which is also created by the worm:

•   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ =
  "load" = %SysDir%\"hint.exe"

In addition to these messages, the worm may also arrive with a random attachment name using one of the following extensions:

• .com
• .exe

Symptoms

Symptoms -

Installation

When executed, the worm copies itself  to the %SYSDIR% folder.

Example:
  C:\WINNT\system32\hint.exe

It creates a registry key, so the file gets executed every time the machine starts:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "load" = %SysDir%\hint.exe

Method of Infection

Method of Infection -

This worm does not use any exploit code in order to execute the mail attachment automatically. A user has to doubleclick on an infected attachment to infect the machine.

In order to locate an email server to send itself out with, it prepends the email domain of the harvested email address with the following list of prefixes:

• gate.
• ns.
• relay.
• mail1.
• mxs.
• smtp.
• mail.
• mx-a.mail.
• bjmx.
• mta.
• mx4.mail.
• mx3.mail.
• mx2.mail.
• mx1.mail.
• mx4.
• mx3.
• mx2.
• mx1.
• mx.

Removal -

Removal -

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A