BitDefender Antivirus
My BitDefender
Go

Win32.Atak.C@mm

( Win32.Agist.A@mm, WORM_AGIST.A )
Spreading: very low
Damage: very low
Size: 14 KBytes (packed)
Discovered: 2004 Jul 18

SYMPTOMS:

Presence of file ????.exe in %SYSDIR% folder and in processes list.

The registry key \"[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows]\" containing the string \"load\" which points to \"%SYSDIR%\\????.exe\" or the following entry in win.ini :

load=%SYSDIR%\\????.EXE

where %SYSDIR% is Windows System directory (eg. C:\\Windows\\System, C:\\WinNT\\System32)
and ? may be any letter or digit

TECHNICAL DESCRIPTION:

This worm is a tipycal mass-mailer arriving in attachments with extensions .exe or .zip

When run it attempts to create a mutex whose name is the current logged user, to avoid a duplicate process running simultaneously.

Then it checks the system time to be valid and if the process is debugged in which case it quits.

Next the worm installs by self-copying in %system% directory with a random 4 characters name ????.exe; then makes sure it will run at startup by setting the \"load\" entry in win.ini or in [HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows] to point to %SYSDIR%\\????.EXE

Next, the worm starts searching for valid e-mail addresses if files matching:

.pl .adb .tbb .html .xml .cfg .vbs .msg .dbx .uin .jsp
.asp .cgi .php .sht .mht .ods .log .htm .mbx .nch .eml

Then sends itself using its own SMTP engine, in the following format:

From: (spoofed)

To:

Subject: (one of the following)
Against!
Revenge!

Body:
This is a multi-part message in MIME format.

Attachment:
may be a .exe or a .zip file containing a .exe file with random name

Removal instructions:

Manual removal:

* open Task Manager by pressing [CTR]+[ALT]+[DEL] in Win9X/ME or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP

* use End Process in Processes tab on ????.exe

* open Registry Editor typing [WIN]+[R]regedit[ENTER]

* delete the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load

* delete entry \"load=%SYSDIR%\\????.EXE\" from win.ini (using Notepad, for example)

* delete %SYSDIR%\\????.exe


Automatic removal: let BitDefender disinfect infected files

ANALYZED BY:

Patrick VicolBitDefender Virus Researcher
Quick Links » New Game Safe » Renew License » Self Service » Free Online Scanner » Press Center
©   2012 BITDEFENDER SiteMap | Legal Terms | Site Feedback | Contact Us | Global Sites | Privacy Policy