My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Atak.C@mm

VERY LOW
VERY LOW
14 KBytes (packed)
(Win32.Agist.A@mm, WORM_AGIST.A)

Symptoms

Presence of file ????.exe in %SYSDIR% folder and in processes list.

The registry key \"[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows]\" containing the string \"load\" which points to \"%SYSDIR%\\????.exe\" or the following entry in win.ini :

load=%SYSDIR%\\????.EXE

where %SYSDIR% is Windows System directory (eg. C:\\Windows\\System, C:\\WinNT\\System32)
and ? may be any letter or digit

Removal instructions:

Manual removal:

* open Task Manager by pressing [CTR]+[ALT]+[DEL] in Win9X/ME or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP

* use End Process in Processes tab on ????.exe

* open Registry Editor typing [WIN]+[R]regedit[ENTER]

* delete the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load

* delete entry \"load=%SYSDIR%\\????.EXE\" from win.ini (using Notepad, for example)

* delete %SYSDIR%\\????.exe


Automatic removal: let BitDefender disinfect infected files

Analyzed By

Patrick VicolBitDefender Virus Researcher

Technical Description:

This worm is a tipycal mass-mailer arriving in attachments with extensions .exe or .zip

When run it attempts to create a mutex whose name is the current logged user, to avoid a duplicate process running simultaneously.

Then it checks the system time to be valid and if the process is debugged in which case it quits.

Next the worm installs by self-copying in %system% directory with a random 4 characters name ????.exe; then makes sure it will run at startup by setting the \"load\" entry in win.ini or in [HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows] to point to %SYSDIR%\\????.EXE

Next, the worm starts searching for valid e-mail addresses if files matching:

.pl .adb .tbb .html .xml .cfg .vbs .msg .dbx .uin .jsp
.asp .cgi .php .sht .mht .ods .log .htm .mbx .nch .eml

Then sends itself using its own SMTP engine, in the following format:

From: (spoofed)

To:

Subject: (one of the following)
Against!
Revenge!

Body:
This is a multi-part message in MIME format.

Attachment:
may be a .exe or a .zip file containing a .exe file with random name