My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Atak.B@mm

MEDIUM
LOW
29149 bytes (packed with FSG 2.0)
(n/a)

Symptoms

Presence of SVRHOST.EXE in %system% (e.g. C:\Windows\System32) folder and in processes list.

In Windows 2000/XP/2003 the registry key "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\windows" containing the string "load" which points to "%system%\SVRHOST.EXE".

In Windows 9x/ME the file "%windir%\win.ini" contains:
[windows]
load=%system%\svrhost.exe

Removal instructions:

Manual removal:
* open Task Manager by pressing [CTR]+[ALT]+[DEL] in Win9x/ME or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP
* use End Process in Processes tab on SVRHOST.EXE
* open Registry Editor typing [WIN]+[R]regedit[ENTER]
* delete the registry key "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load"
* delete %system%\svrhost.exe

Note that for Win98/ME manual removal is not recommended.

Automatic removal: let BitDefender disinfect infected files.

Analyzed By

Mircea Ciubotariu BitDefender Virus Researcher

Technical Description:

This worm is a tipycal mass-mailer arriving in infected attachments with double extesion names. It basically operates like its precedent variant exept it does a lot more things.

When run Atak.B checks if it is run from %system%\SVRHOST.EXE and if not copies itself to that location and starts that copy.

Then it attempts to create the mutex "SloperV2mtx-e-Machine" to avoid a duplicate process running simultaneously and performs the anti-debugging checks.

If the process is being debugged by a standard debugger the worm pops up a message box with the text "lol! try to dig me?" and quits.

In Windows 9x/ME the worms registers itself as a Service Process and therefore won't be visible in processes list.

Also at this time it creates a thread which acts as a backdoor on all ports in the range 1000 - 1015 (including) using which an attacker may upload and execute any program of his wish.

After that the worm attemps to close an impressive number of 596 processes if found active, namely: DRVDDLL.EXE, _AVP32.EXE, _AVPCC.EXE, _AVPM.EXE, ACKWIN32.EXE, ADAWARE.EXE, ADVXDWIN.EXE, AGENTSVR.EXE, AGENTW.EXE, ALERTSVC.EXE, ALEVIR.EXE, ALOGSERV.EXE, AMON9X.EXE, ANTI-TROJAN.EXE, ANTIVIRUS.EXE, ANTS.EXE, APIMONITOR.EXE, APLICA32.EXE, APVXDWIN.EXE, ARR.EXE, ATCON.EXE, ATGUARD.EXE, ATRO55EN.EXE, ATWATCH.EXE, AU.EXE, AUPDATE.EXE, AUTODOWN.EXE, AUTO-PROTECT.NAV80TRY.EXE, AUTOTRACE.EXE, AUTOUPDATE.EXE, AVCONSOL.EXE, AVE32.EXE, AVGCC32.EXE, AVGCTRL.EXE, AVGNT.EXE, AVGSERV.EXE, AVGSERV9.EXE, AVGUARD.EXE, AVGW.EXE, AVKPOP.EXE, AVKSERV.EXE, AVKSERVICE.EXE, AVKWCTl9.EXE, AVLTMAIN.EXE, AVNT.EXE, AVP.EXE, AVP32.EXE, AVPCC.EXE, AVPDOS32.EXE, AVPM.EXE, AVPTC32.EXE, AVPUPD.EXE, AVSCHED32.EXE, AVSYNMGR.EXE, AVWIN95.EXE, AVWINNT.EXE, AVWUPD.EXE, AVWUPD32.EXE, AVWUPSRV.EXE, AVXMONITOR9X.EXE, AVXMONITORNT.EXE, AVXQUAR.EXE, BACKWEB.EXE, BARGAINS.EXE, BD_PROFESSIONAL.EXE, BEAGLE.EXE, BELT.EXE, BIDEF.EXE, BIDSERVER.EXE, BIPCP.EXE, BIPCPEVALSETUP.EXE, BISP.EXE, BLACKD.EXE, BLACKICE.EXE, BLSS.EXE, BOOTCONF.EXE, BOOTWARN.EXE, BORG2.EXE, BPC.EXE, BRASIL.EXE, BS120.EXE, BUNDLE.EXE, BVT.EXE, CCAPP.EXE, CCEVTMGR.EXE, CCPXYSVC.EXE, CCSETMGR.EXE, CDP.EXE, CFD.EXE, CFGWIZ.EXE, CFIADMIN.EXE, CFIAUDIT.EXE, CFINET.EXE, CFINET32.EXE, Claw95.EXE, CLAW95CF.EXE, CLEAN.EXE, CLEANER.EXE, CLEANER3.EXE, CLEANPC.EXE, CLICK.EXE, CMD32.EXE, CMESYS.EXE, CMGRDIAN.EXE, CMON016.EXE, CONNECTIONMONITOR.EXE, CPD.EXE, CPF9X206.EXE, CPFNT206.EXE, CTRL.EXE, CV.EXE, CWNB181.EXE, CWNTDWMO.EXE, DATEMANAGER.EXE, DCOMX.EXE, DEFALERT.EXE, DEFSCANGUI.EXE, DEFWATCH.EXE, DEPUTY.EXE, DIVX.EXE, DLLCACHE.EXE, DLLREG.EXE, DOORS.EXE, DPF.EXE, DPFSETUP.EXE, DPPS2.EXE, DRWATSON.EXE, DRWEB32.EXE, DRWEBUPW.EXE, DSSAGENT.EXE, DVP95.EXE, DVP95_0.EXE, ECENGINE.EXE, EFPEADM.EXE, EMSW.EXE, ENT.EXE, ESAFE.EXE, ESCANH95.EXE, ESCANHNT.EXE, ESCANV95.EXE, ESPWATCH.EXE, ETHEREAL.EXE, ETRUSTCIPE.EXE, EVPN.EXE, EXANTIVIRUS-CNET.EXE, EXE.AVXW.EXE, EXPERT.EXE, EXPLORE.EXE, F-AGNT95.EXE, F-AGOBOT.EXE, FAMEH32.EXE, FAST.EXE, FCH32.EXE, FIH32.EXE, FINDVIRU.EXE, FIREWALL.EXE, FLOWPROTECTOR.EXE, FNRB32.EXE, FPROT.EXE, F-PROT.EXE, F-PROT95.EXE, FP-WIN.EXE, FP-WIN_TRIAL.EXE, FRW.EXE, FSAA.EXE, FSAV.EXE, FSAV32.EXE, FSAV530STBYB.EXE, FSAV530WTBYB.EXE, FSAV95.EXE, FSGK32.EXE, FSM32.EXE, FSMA32.EXE, FSMB32.EXE, F-STOPW.EXE, GATOR.EXE, GBMENU.EXE, GBPOLL.EXE, GENERICS.EXE, GMT.EXE, GUARD.EXE, GUARDDOG.EXE, HACKTRACERSETUP.EXE, HBINST.EXE, HBSRV.EXE, HIJACKTHIS.EXE, HOTACTIO.EXE, HOTPATCH.EXE, HTLOG.EXE, HTPATCH.EXE, HWPE.EXE, HXDL.EXE, HXIUL.EXE, IAMAPP.EXE, IAMSERV.EXE, IAMSTATS.EXE, IBMASN.EXE, IBMAVSP.EXE, ICLOAD95.EXE, ICLOADNT.EXE, ICMON.EXE, ICSUPP95.EXE, ICSUPPNT.EXE, IDLE.EXE, IEDLL.EXE, IEDRIVER.EXE, IEXPLORER.EXE, IFACE.EXE, IFW2000.EXE, INETLNFO.EXE, INFUS.EXE, INFWIN.EXE, INIT.EXE, INTDEL.EXE, INTREN.EXE, IOMON98.EXE, IPARMOR.EXE, IRIS.EXE, ISASS.EXE, ISRV95.EXE, ISTSVC.EXE, JAMMER.EXE, JDBGMRG.EXE, JEDI.EXE, KAVLITE40ENG.EXE, KAVPERS40ENG.EXE, KAVPF.EXE, KAZZA.EXE, KEENVALUE.EXE, KERIO-PF-213-EN-WIN.EXE, KERIO-WRL-421-EN-WIN.EXE, KERIO-WRP-421-EN-WIN.EXE, KERNEL32.EXE, KILLPROCESSSETUP161.EXE, LAUNCHER.EXE, LDNETMON.EXE, LDPRO.EXE, LDPROMENU.EXE, LDSCAN.EXE, LNETINFO.EXE, LOADER.EXE, LOCALNET.EXE, LOCKDOWN.EXE, LOCKDOWN2000.EXE, LOOKOUT.EXE, LORDPE.EXE, LSETUP.EXE, LUALL.EXE, LUAU.EXE, LUCOMSERVER.EXE, LUINIT.EXE, LUSPT.EXE, MAPISVC32.EXE, MCAGENT.EXE, MCMNHDLR.EXE, MCSHIELD.EXE, MCTOOL.EXE, MCUPDATE.EXE, MCVSRTE.EXE, MCVSSHLD.EXE, MD.EXE, MFIN32.EXE, MFW2EN.EXE, MFWENG3.02D30.EXE, MGAVRTCL.EXE, MGAVRTE.EXE, MGHTML.EXE, MGUI.EXE, MINILOG.EXE, MMOD.EXE, MONITOR.EXE, MOOLIVE.EXE, MOSTAT.EXE, MPFAGENT.EXE, MPFSERVICE.EXE, MPFTRAY.EXE, MRFLUX.EXE, MSAPP.EXE, MSBB.EXE, MSBLAST.EXE, MSCACHE.EXE, MSCCN32.EXE, MSCMAN.EXE, MSCONFIG.EXE, MSDM.EXE, MSDOS.EXE, MSIEXEC16.EXE, MSINFO32.EXE, MSLAUGH.EXE, MSMGT.EXE, MSMSGRI32.EXE, MSSMMC32.EXE, MSSYS.EXE, MSVXD.EXE, MU0311AD.EXE, MWATCH.EXE, N32SCANW.EXE, NAV.EXE, NAVAP.NAVAPSVC.EXE, NAVAPSVC.EXE, NAVAPW32.EXE, NAVDX.EXE, NAVENGNAVEX15.NAVLU32.EXE, NAVLU32.EXE, NAVNT.EXE, NAVSTUB.EXE, NAVW32.EXE, NAVWNT.EXE, NC2000.EXE, NCINST4.EXE, NDD32.EXE, NEOMONITOR.EXE, NEOWATCHLOG.EXE, NETARMOR.EXE, NETD32.EXE, NETINFO.EXE, NETMON.EXE, NETSCANPRO.EXE, NETSPYHUNTER-1.2.EXE, NETSTAT.EXE, NETUTILS.EXE, NISSERV.EXE, NISUM.EXE, NMAIN.EXE, NOD32.EXE, NORMIST.EXE, NORTON_INTERNET_SECU_3.0_407.EXE, NOTSTART.EXE, NPF40_TW_98_NT_ME_2K.EXE, NPFMESSENGER.EXE, NPROTECT.EXE, NPSCHECK.EXE, NPSSVC.EXE, NSCHED32.EXE, NSSYS32.EXE, NSTASK32.EXE, NSUPDATE.EXE, NT.EXE, NTRTSCAN.EXE, NTVDM.EXE, NTXconfig.EXE, NUI.EXE, NUPGRADE.EXE, NVARCH16.EXE, NVC95.EXE, NVSVC32.EXE, NWINST4.EXE, NWSERVICE.EXE, NWTOOL16.EXE, OLLYDBG.EXE, ONSRVR.EXE, OPTIMIZE.EXE, OSTRONET.EXE, OTFIX.EXE, OUTPOST.EXE, OUTPOSTINSTALL.EXE, OUTPOSTPROINSTALL.EXE, PADMIN.EXE, PANIXK.EXE, PATCH.EXE, PAVCL.EXE, PAVPROXY.EXE, PAVSCHED.EXE, PAVW.EXE, PCC2002S902.EXE, PCC2K_76_1436.EXE, PCCIOMON.EXE, PCCNTMON.EXE, PCCWIN97.EXE, PCCWIN98.EXE, PCDSETUP.EXE, PCFWALLICON.EXE, PCIP10117_0.EXE, PCSCAN.EXE, PDSETUP.EXE, PENIS.EXE, PERISCOPE.EXE, PERSFW.EXE, PERSWF.EXE, PF2.EXE, PFWADMIN.EXE, PGMONITR.EXE, PINGSCAN.EXE, PLATIN.EXE, POP3TRAP.EXE, POPROXY.EXE, POPSCAN.EXE, PORTDETECTIVE.EXE, PORTMONITOR.EXE, POWERSCAN.EXE, PPINUPDT.EXE, PPTBC.EXE, PPVSTOP.EXE, PRIZESURFER.EXE, PRMT.EXE, PRMVR.EXE, PROCDUMP.EXE, PROCESSMONITOR.EXE, PROCEXPLORERV1.0.EXE, PROGRAMAUDITOR.EXE, PROPORT.EXE, PROTECTX.EXE, PSPF.EXE, PURGE.EXE, PUSSY.EXE, PVIEW95.EXE, QCONSOLE.EXE, QSERVER.EXE, RAPAPP.EXE, RAV7.EXE, RAV7WIN.EXE, RAV8WIN32ENG.EXE, RAY.EXE, RB32.EXE, RCSYNC.EXE, REALMON.EXE, REGED.EXE, REGEDIT.EXE, REGEDT32.EXE, RESCUE.EXE, RESCUE32.EXE, RRGUARD.EXE, RSHELL.EXE, RTVSCAN.EXE, RTVSCN95.EXE, RULAUNCH.EXE, RUN32DLL.EXE, RUNDLL.EXE, RUNDLL16.EXE, RUXDLL32.EXE, SAFEWEB.EXE, SAHAGENT.EXE, SAVE.EXE, SAVENOW.EXE, SBSERV.EXE, SC.EXE, SCAM32.EXE, SCAN32.EXE, SCAN95.EXE, SCANPM.EXE, SCRSCAN.EXE, SCRSVR.EXE, SCVHOST.EXE, SD.EXE, SERV95.EXE, SERVICE.EXE, SERVLCE.EXE, SERVLCES.EXE, SETUP_FLOWPROTECTOR_US.EXE, SETUPVAMEEVAL.EXE, SFC.EXE, SGSSFW32.EXE, SH.EXE, SHELLSPYINSTALL.EXE, SHN.EXE, SHOWBEHIND.EXE, SMC.EXE, SMS.EXE, SMSS32.EXE, SOAP.EXE, SOFI.EXE, SPERM.EXE, SPF.EXE, SPHINX.EXE, SPOLER.EXE, SPOOLCV.EXE, SPOOLSV32.EXE, SPYXX.EXE, SREXE.EXE, SRNG.EXE, SS3EDIT.EXE, SSG_4104.EXE, SSGRATE.EXE, ST2.EXE, START.EXE, STCLOADER.EXE, SUPFTRL.EXE, SUPPORT.EXE, SUPPORTER5.EXE, SVC.EXE, SVCHOSTC.EXE, SVCHOSTS.EXE, SVSHOST.EXE, SWEEP95.EXE, SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE, SYMPROXYSVC.EXE, SYMTRAY.EXE, SYSEDIT.EXE, SYSTEM.EXE, SYSTEM32.EXE, SYSUPD.EXE, TASKMG.EXE, TASKMO.EXE, TASKMON.EXE, TAUMON.EXE, TBSCAN.EXE, TC.EXE, TCA.EXE, TCM.EXE, TDS2-98.EXE, TDS2-NT.EXE, TDS-3.EXE, TEEKIDS.EXE, TFAK.EXE, TFAK5.EXE, TGBOB.EXE, TITANIN.EXE, TITANINXP.EXE, TRACERT.EXE, TRICKLER.EXE, TRJSCAN.EXE, TRJSETUP.EXE, TROJANTRAP3.EXE, TSADBOT.EXE, TVMD.EXE, TVTMD.EXE, UNDOBOOT.EXE, UPDAT.EXE, UPDATE.EXE, UPGRAD.EXE, UTPOST.EXE, VBCMSERV.EXE, VBCONS.EXE, VBUST.EXE, VBWIN9X.EXE, VBWINNTW.EXE, VCSETUP.EXE, VET32.EXE, VET95.EXE, VETTRAY.EXE, VFSETUP.EXE, VIR-HELP.EXE, VIRUSMDPERSONALFIREWALL.EXE, VNLAN300.EXE, VNPC3000.EXE, VPC32.EXE, VPC42.EXE, VPFW30S.EXE, VPTRAY.EXE, VSCAN40.EXE, VSCENU6.02D30.EXE, VSCHED.EXE, VSECOMR.EXE, VSHWIN32.EXE, VSISETUP.EXE, VSMAIN.EXE, VSMON.EXE, VSSTAT.EXE, VSWIN9XE.EXE, VSWINNTSE.EXE, VSWINPERSE.EXE, W32DSM89.EXE, W9X.EXE, WATCHDOG.EXE, WEBDAV.EXE, WEBSCANX.EXE, WEBTRAP.EXE, WFINDV32.EXE, WGFE95.EXE, WHOSWATCHINGME.EXE, WIMMUN32.EXE, WIN32.EXE, WIN32US.EXE, WINACTIVE.EXE, WIN-BUGSFIX.EXE, WINDOW.EXE, WINDOWS.EXE, WININETD.EXE, WININIT.EXE, WININITX.EXE, WINLOGIN.EXE, WINMAIN.EXE, WINNET.EXE, WINPPR32.EXE, WINRECON.EXE, WINSERVN.EXE, WINSSK32.EXE, WINSTART.EXE, WINSTART001.EXE, WINTSK32.EXE, WINUPDATE.EXE, WKUFIND.EXE, WNAD.EXE, WNT.EXE, WRADMIN.EXE, WRCTRL.EXE, WSBGATE.EXE, WUPDATER.EXE, WUPDT.EXE, WYVERNWORKSFIREWALL.EXE, XPF202EN.EXE, ZAPRO.EXE, ZAPSETUP3001.EXE, ZATUTOR.EXE, ZONALM2601.EX and ZONEALARM.EXE.

At this step it also tries to remove several files and registry keys belonging to various malware, as follows:
* files removed from %system% folder:
Drvddll.exeopenopenopenopen
drvddll.exeopenopenopen
Drvddll.exeopenopen
Drvddll.exeopen
drvddll.exe


* files removed from %windir% folder:
FVProtect.exe
userconfig9x.dll
base64.tmp
zip1.tmp
zip2.tmp
zip3.tmp
zipped.tmp


* registry keys removed from SOFTWARE\Microsoft\Windows\CurrentVersion\Run both from HKLM and HKCU:
My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net
Explorer
direct.exe
winupd.exe


* registry keys removed from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run only:
system.
msgsvr32
jijbl
service
Sentry


* registry keys removed from HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run only:
au.exe
d3dupdate.exe
OLE
gouday.exe
rate.exe
Taskmon
Windows Services Host
sysmon.exe
srate.exe
ssate.exe


* registry keys removed from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce:
system.
Video


As a payload it seems the worm performs after 8th of August 2004 DDoS attacks on www.techtv.com by sending some HTTP requests on 97 threads.

It scans some specific locations (like temporary internet files), drive A: and fixed and ramdisk drives from C: through Z: for certain file types which may contain email addresses, namely:
wab
pl
adb
tbb
html
xml
cfg
vbs
msg
dbx
uin
jsp
asp
cgi
php
sht
mht
ods
log
mbx
nch
eml


The sender may be one of the following: vladimir, otto, penny, marie, freddy, elvin, anthony, zidane, connie, lenny, vivian, walter, stephen, brovac, hanson, carey, joshua, linda, julie, jimmy, jerry, helen, lissy, claudia, humm, anna, alice, stella, adam, harry, fred, jack, bill, stan, smith, steve, matt, dave, ronnie, joe, jane, bob, robert, peter, tom, chang, mary, william, brian, jim, maria, dolly, jose, steven, sam, george, david, kevin, mike, james, michael, alex, john or niky with different domain names.

One of the message bodies it may choose is:
If you want to see this video please open this URL with your favorite media player such as WinAmp or Windows Media Player.

"http://**.***.*.***/stevemitton.com/iraq2vediom.wmv". If there is fail please download it from your email attachment.

Thanks for watching.


There is a never used string saying:
-={ 4tt4(k 4g4!n$t N3tSky, B34gl3, MyD00m, L0vG4t3, N4ch!, Bl4st3r }=-
It reads "Attack against Netsky, Beagle, Mydoom, LovGate, Nachi, Blaster"

There also is another string - an encrypted one - discovered in both versions, namely:
"Developed by Melhacker(TM) for personal research only."

The string was found at offset 0xA238 (41528) in the upacked file:



The encryption is weak: all bits are negated. The decrypted string looks like this:




The worm was compiled with Visual C++ 6.00 and packed with FSG 2.0.