Back to Newsroom

14 July 2004

Atak.B may be dress-rehearsal for Scezda uber-worm

Various hints (including an encrypted string) in the object code of Attak.B indicate that it may be the brainchild of a Malaysia-based VXer who goes by the moniker of Melhacker (aka Vladimor Chamlkovic). Melhacker is a known Al-Qaeda sympathizer, and has publicly stated that he will release an uber-worm by the name of Scezda if the US attacks Irak again. He claimed that the worm will be a combination of features from Klez, SirCam and Nimda.

The Atak.B virus is indeed an executable mass mailer with a lot of different functions. It opens a backdoor on the infected computers and tries to kill various antivirus programs, firewalls, debugger and other viruses (over 500 processes all in all).

It does a rather poor job of surviving though, since its attempts to shutdown BitDefender antivirus and firewall products do not succeed.

Just like the previous version, Atak.B uses a variety of other tricks to avoid detection and make the retrieval of its code more difficult. It also does the date trick again, to stay away from "sandboxes". "It's just as easy to crack as the first one, but it fails to stay stealthy in more interesting ways." declared Mircea Ciubotariu, BitDefender Antivirus Researcher.

One of the more annoying things the virus does is to initiate an uncoordinated DDOS attack against www.techtv.com. BitDefender techs have notified the site admin and offered assistance.

BitDefender Labs have received few reports from the wild and the actual spreading of this worm is still unknown. A full analysis of the worm can be found here.

 Share

Contacts