Content
W32/Atak.i@MM
- Type
- Virus
- SubType
- E-mail worm
- Discovery Date
- 12/15/2004
- Length
- Approx 11Kb
- Minimum DAT
- 4415 (12/15/2004)
- Updated DAT
- 4626 (11/11/2005)
- Minimum Engine
- 5.1.00
- Description Added
- 12/15/2004
- Description Modified
- 12/16/2004 8:16 AM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update December 16, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.zdnet.co.uk/internet/security/0,39020375,39181365,00.htm
--
The worm bears the following characteristics:
- harvests email addresses from the victim machine
- spoofs the From: address
- constructs messages using its own SMTP engine
Symptoms
When run, the worm installs itself into the Windows system directory as DEC25.EXE, for example:
- C:\WINDOWS\SYSTEM32\DEC25.EXE
The following Registry key is added to hook system startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
\Windows "run" = C:\WINDOWS\SYSTEM32\DEC25.EXE
The worm creates a mutex on the victim machine with the following name:
- 2k5
Method of Infection
The worm constructs outgoing messages using its own SMTP engine, spoofing the From: address, The messages are constructed as follows:
Subject: One of the following subject lines are used:
- Happy New Year!
- Mery X-Mas!
Message Body: One of the following message body is used:
- Mery Chrismas Happy New year! 2005 will be the beginning!
- Happy New year and wish you good luck on next year!
Attachment: The attachment will be a ZIP archive (with a .ZIP file extension) containing a copy of the worm, with one of the following file extensions (sometimes with multiple prepended spaces):
- scr
- com
- pif
- bat
The filenames of the ZIP archive and the worm within the archive are random (same filename for each).
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Characteristics
Characteristics -
-- Update December 16, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.zdnet.co.uk/internet/security/0,39020375,39181365,00.htm
--
The worm bears the following characteristics:
- harvests email addresses from the victim machine
- spoofs the From: address
- constructs messages using its own SMTP engine
Symptoms
Symptoms -
When run, the worm installs itself into the Windows system directory as DEC25.EXE, for example:
- C:\WINDOWS\SYSTEM32\DEC25.EXE
The following Registry key is added to hook system startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
\Windows "run" = C:\WINDOWS\SYSTEM32\DEC25.EXE
The worm creates a mutex on the victim machine with the following name:
- 2k5
Method of Infection
Method of Infection -
The worm constructs outgoing messages using its own SMTP engine, spoofing the From: address, The messages are constructed as follows:
Subject: One of the following subject lines are used:
- Happy New Year!
- Mery X-Mas!
Message Body: One of the following message body is used:
- Mery Chrismas Happy New year! 2005 will be the beginning!
- Happy New year and wish you good luck on next year!
Attachment: The attachment will be a ZIP archive (with a .ZIP file extension) containing a copy of the worm, with one of the following file extensions (sometimes with multiple prepended spaces):
- scr
- com
- pif
- bat
The filenames of the ZIP archive and the worm within the archive are random (same filename for each).
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
