My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Tattona.A@mm

MEDIUM
LOW
~34761 bytes
(W32/Hygui-A)

Symptoms

- file dllmgr32.exe in Windows directory
- the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DllManager with value C:\Windows\dllmgr32.exe

Removal instructions:

  1. If you don't have BitDefender installed click here to download an evaluation version;

  2. Make sure that you have the latest updates using BitDefender Live!;

  3. Make the following changes in the windows registry:

    Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

    1. Select Run... from Start, then type regedit and press Enter;

    2. Delete the following key:
      HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DllManage

  4. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Tattona.A@mm.

Analyzed By

Sorin Victor Dudea BitDefender Virus Researcher

Technical Description:

It arrives trough e-mail in the following format:

Subject:
Incredibile.. or
Urgente! (vedi allegato) or
Qualsiasi cosa fai,falla al meglio. or
Incredible..
Body (English):
Hello,
see this interesting file.
Bye

Body (Italian):
Ciao,
okkio all'allegato ;-)
or
devi assolutamente vedere il file che ti ho allegato. or
apri subito l'allegato,e' molto interessante.
A presto…

Attachment:One of the following

-Tattoo.exe
-Euro.exe
-Tettona.exe


After the user opens the attachment the Worm copies itself in Windows directory with the name dllmgr32.exe and adds the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DllManage with value: C:\Windows\dllmgr32.exe.

Next it displays the following message box:




and it stops.

After the computer restart the worm checks the date and if it is January 12 it displays the following message box:




Next it will open an TCP\IP connection and awaits for remote commands becoming a backdoor.

The work sends itself to all e-mail addresses it found in user's address book in the same format it arrives.