Back to Newsroom

10 July 2004

New mass mailer proves difficult to read

There's a new mass mailer in town, and it's built to make the work of analysts even more difficult than it already is.

The new meanie, which goes by the name of Atak, uses a few nifty tricks to escape analysis. First and foremost, it checks to see if it's being run in a debugging environment, and exits to avoid detection. This prevents casual perusal of the code by researchers and rival script kiddies alike.

Moreover, a possible bug (related to the way it checks for the activation date) prevents it from being run in a "sandbox" (a virtual test tube, used by researchers to observe the behavior of malware).

"I haven't seen such ruses used in a mass mailer in a long time. This piece of code is so sloppy, it's devious." declared Mircea Ciubotariu, BitDefender antivirus researcher.

Other than that, the virus makes a thorough job of scanning for valid e-mails, by checking (among others) even for the archives of the Moldavian-built "The Bat" mail client.

"I can't tell for sure where the writer is from, but there are some clues and hints of his whereabouts." Ciubotariu concluded.

Further information about the new virus is available in the BitDefender virus encyclopedia.

 Share

Contacts