- file dllmgr32.exe in Windows directory
- the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DllManager with value C:\Windows\dllmgr32.exe
- If you don't have BitDefender installed click here to download an evaluation version;
- Make sure that you have the latest updates using BitDefender Live!;
- Make the following changes in the windows registry:
Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.
- Select Run... from Start, then type regedit and press Enter;
- Delete the following key:
- Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Tattona.A@mm.
Sorin Victor Dudea BitDefender Virus Researcher
It arrives trough e-mail in the following format: Subject: Incredibile..
or Urgente! (vedi allegato)
or Qualsiasi cosa fai,falla al meglio.
or Incredible.. Body (English): Hello,
see this interesting file.
Bye Body (Italian): Ciao,
okkio all'allegato ;-)
or devi assolutamente vedere il file che ti ho allegato.
or apri subito l'allegato,e' molto interessante.
A presto… Attachment:
One of the following
After the user opens the attachment the Worm copies itself in Windows directory with the name dllmgr32.exe
and adds the following registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DllManage
with value: C:\Windows\dllmgr32.exe
Next it displays the following message box:
and it stops.
After the computer restart the worm checks the date and if it is January 12 it displays the following message box:
Next it will open an TCP\IP connection and awaits for remote commands becoming a backdoor.
The work sends itself to all e-mail addresses it found in user's address book in the same format it arrives.