Content

W32/Atak.d@MM

Type
Virus
SubType
Internet Worm
Discovery Date
12/03/2004
Length
12,037 bytes (FSG)
Minimum DAT
4380 (07/21/2004)
Updated DAT
5656 (06/24/2009)
Minimum Engine
5.1.00
Description Added
12/03/2004
Description Modified
12/03/2004 8:05 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Proactive detection
 This variant is detected exactly as W32/Atak.gen@MM by McAfee products running the 4380 DATs or later (release date Aug 2nd 2004).

The worm bears the following characteristics:

  • harvests email addresses from the victim machine
  • spoofs the From: address
  • constructs messages using its own SMTP engine

Symptoms

When run, the worm installs itself into the Windows system directory as A1G.EXE, for example:

  • C:\WINDOWS\SYSTEM32\A1G.EXE

The following Registry key is added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
    \Windows "load" = C:\WINDOWS\SYSTEM32\A1G.EXE

The worm creates a mutex on the victim machine with the following name:

  • mtxSSS

Method of Infection

The worm constructs outgoing messages using its own SMTP engine, spoofing the From: address, and modifying the template message body templates it carries according to the target email address. The messages are constructed as follows:

Subject: One of the following 2 subject lines are used:

  • It's begin here!
  • First Match!

Message Body: The following message body is used:

Hello (mailbox)

Your request has been accepted.
Your account info:

>> Email: (inserted data)
>> Password: (inserted data)/>

Visit our website to get more info at: http://www.(domain)/>

NOTE: All your account information has been attached as file and ready to be printed.

where (mailbox )  and (domain )are extracted from the target email address (mailbox@domain ).

Attachment: The attachment will be a ZIP archive (with a .ZIP file extension) containing a copy of the worm, with one of the following file extensions (sometimes with multiple prepended spaces):

  • scr
  • com
  • exe
  • pif
  • bat

The filenames of the ZIP archive and the worm within the archive are random (same filename for each).

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

Proactive detection
 This variant is detected exactly as W32/Atak.gen@MM by McAfee products running the 4380 DATs or later (release date Aug 2nd 2004).

The worm bears the following characteristics:

  • harvests email addresses from the victim machine
  • spoofs the From: address
  • constructs messages using its own SMTP engine

Symptoms

Symptoms -

When run, the worm installs itself into the Windows system directory as A1G.EXE, for example:

  • C:\WINDOWS\SYSTEM32\A1G.EXE

The following Registry key is added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
    \Windows "load" = C:\WINDOWS\SYSTEM32\A1G.EXE

The worm creates a mutex on the victim machine with the following name:

  • mtxSSS

Method of Infection

Method of Infection -

The worm constructs outgoing messages using its own SMTP engine, spoofing the From: address, and modifying the template message body templates it carries according to the target email address. The messages are constructed as follows:

Subject: One of the following 2 subject lines are used:

  • It's begin here!
  • First Match!

Message Body: The following message body is used:

Hello (mailbox)

Your request has been accepted.
Your account info:

>> Email: (inserted data)
>> Password: (inserted data)/>

Visit our website to get more info at: http://www.(domain)/>

NOTE: All your account information has been attached as file and ready to be printed.

where (mailbox )  and (domain )are extracted from the target email address (mailbox@domain ).

Attachment: The attachment will be a ZIP archive (with a .ZIP file extension) containing a copy of the worm, with one of the following file extensions (sometimes with multiple prepended spaces):

  • scr
  • com
  • exe
  • pif
  • bat

The filenames of the ZIP archive and the worm within the archive are random (same filename for each).

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A