My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Atak.A@mm

MEDIUM
LOW
15917 bytes (packed with FSG 2.0)
(n/a)

Symptoms

Presence of hint.exe in %system% (e.g. C:\Windows\System32) folder and in processes list.

The registry key "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" containing the string "load" which points to "%system%\hint.exe".

Removal instructions:

Manual removal:
* open Task Manager by pressing [CTR]+[ALT]+[DEL] in Win9X/ME or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP
* use End Process in Processes tab on hint.exe
* open Registry Editor typing [WIN]+[R]regedit[ENTER]
* delete the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
* delete %system%\hint.exe

Automatic removal: let BitDefender disinfect infected files

Analyzed By

Mircea Ciubotariu BitDefender Virus Researcher

Technical Description:

This worm is a tipycal mass-mailer arriving in infected attachments with double extesion names.

When run it attempts to create the mutex SloperMtx to avoid a duplicate process running simultaneously.

Then it checks the system time to be valid and if the process is debugged in which case it quits.

Next the worm installs by self-copying in %system% directory with the name hint.exe; sets

[windows]
load=%system%\hint.exe


in %windir%\win.ini and starts harvesting for email address and send mails.

The following file types are scanned for email addresses:
wab
pl
adb
tbb
html
xml
cfg
vbs
msg
bdx
uin
jsp
asp
cgi
php
sht
mht
ods
log
htm
mbx
nch
eml
txt


The sender may be one of the following: kevin@, huck@, george@, mike@, andrew@ or jose@ with different domain names.

There is a never used string saying:
-={ 4tt4(k 4g4!n$t N3tSky, B34gl3, MyD00m, L0vG4t3, N4ch!, Bl4st3r }=-

It was compiled with Visual C++ 6.00 and packed with FSG 2.0.