Internet threat level: 1
Home→Descriptions→Email-Worm.Win32.Atak.h
Email-Worm.Win32.Atak.h
| Detected | Dec 15 2004 08:52 GMT |
| Released | Dec 15 2004 08:52 GMT |
| Published | Dec 15 2004 09:55 GMT |
Technical Details
This worm spreads via the Internet as an attachment to infected messages.
The worm itself is a Windows PE EXE file approximately 11KB in size. It is packed using FSG, and the unpacked file is approximately 25KB in size.
Infected messages
Message subject (chosen at random from the list below):
Happy New Year! Merry X-Mas!
Message body (chosen at random from the list below):
Happy New year and wish you good luck on next year! Mery Chrismas & Happy New Year! 2005 will be the beginning!
Attachment name
bat com pif scr
The worm is only launched if the user opens the attachment. Atak.h will then install itself to the system and start propagating.
It will not repeatedly install itself to memory.
Installation
When installing, the worm copies itself as dec25.exe to the Windows system directory. It modifies the win.ini file, and adds the file name dex25.exe to the run key in [windows]:
[windows] run=%SystemDir%\dec25.exe
This ensures that a copy of the worm will be launched each time the infected computer is rebooted.
Mass mailing
The worm searches for files with the following extensions:
asp dbx eml htm jsp mht msg php txt
It harvests email addresses from these files, and sends a copy of itself by establishing a direct connection to the SMTP server.
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
- using a direct connection to a SMTP server using the email directory built into the worm’s code
- using MS Outlook services
- using Windows MAPI functions.
Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:
- the address book in MS Outlook
- a WAB address database
- .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
- emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)
Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.
Email-Worm.
- Virus:
W32/Atak. i@MM (McAfee) - W32/Atak-J (Sophos)
- Worm.
Mydoom. Gen-unp (ClamAV) - W32/Atak.
I. worm (Panda) - W32/Atak.
I@mm (FPROT) - Worm:
Win32/Atak. J@mm (MS(OneCare)) - Win32.
HLLM. Atak (DrWeb) - Win32/Mydoom.
AU worm (Nod32) - Win32.
Atak. I@mm (BitDef7) - I-Worm.
Atak. F (VirusBuster) - Win32:
Atak-F [Wrm] (AVAST) - Email-Worm.
Win32. Atak (Ikarus) - I-Worm/Atak.
I (AVG) - WORM/Atak.
I (AVIRA) - W32.
Atak@mm (NAV) - Atak.
I@mm (Norman) - W32/Atak.
I@mm (NAI) - WORM_ATAK.
I (PCCIL) - Worm.
Atak. h (Rising) - Email-Worm.
Win32. Atak. h [AVP] (FSecure) - Atak.
h (Sunbelt) - I-Worm.
Atak. F (VirusBusterBeta)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.