Win32.Atak.A@mm

( n/a )

SYMPTOMS:

Presence of hint.exe in %system% (e.g. C:\\Windows\\System32) folder and in processes list.

The registry key \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\" containing the string \"load\" which points to \"%system%\\hint.exe\".

TECHNICAL DESCRIPTION:

This worm is a tipycal mass-mailer arriving in infected attachments with double extesion names.

When run it attempts to create the mutex SloperMtx to avoid a duplicate process running simultaneously.

Then it checks the system time to be valid and if the process is debugged in which case it quits.

Next the worm installs by self-copying in %system% directory with the name hint.exe; sets

[windows]
load=%system%\\hint.exe

in %windir%\\win.ini and starts harvesting for email address and send mails.

The following file types are scanned for email addresses:
wab
pl
adb
tbb
html
xml
cfg
vbs
msg
bdx
uin
jsp
asp
cgi
php
sht
mht
ods
log
htm
mbx
nch
eml
txt

The sender may be one of the following: kevin@, huck@, george@, mike@, andrew@ or jose@ with different domain names.

There is a never used string saying:
-={ 4tt4(k 4g4!n$t N3tSky, B34gl3, MyD00m, L0vG4t3, N4ch!, Bl4st3r }=-

It was compiled with Visual C++ 6.00 and packed with FSG 2.0.

Removal instructions:

Manual removal:
* open Task Manager by pressing [CTR]+[ALT]+[DEL] in Win9X/ME or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP
* use End Process in Processes tab on hint.exe
* open Registry Editor typing [WIN]+[R]regedit[ENTER]
* delete the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load
* delete %system%\\hint.exe

Automatic removal: let BitDefender disinfect infected files

ANALYZED BY:

Mircea Ciubotariu BitDefender Virus Researcher