How about this new virus "Win32.Atak.A@mm"

More info about virus "Win32.Atak.A@mm"

Hi all,

There is a new bug doing it's rounds.

More info: http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=280

rgds,
Martin

 

Bitdefender seems to have caused by the Atak press release havoc on their own site - sometimes there is problem to get access to it....

 

Here is the info from that site:

Name: Win32.Atak.A@mm
Aliases: n/a
Type: Executable Worm Mass Mailer
Size: 15917 bytes (packed with FSG 2.0)
Discovered: 12.07.2004
Detected: 12.07.2004
Spreading: Medium
Damage: Low
In The Wild: Yes

Symptoms:
Presence of hint.exe in %system% (e.g. C:\Windows\System32) folder and in processes list.

The registry key "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" containing the string "load" which points to "%system%\hint.exe".


Technical description:
This worm is a tipycal mass-mailer arriving in infected attachments with double extesion names.

When run it attempts to create the mutex SloperMtx to avoid a duplicate process running simultaneously.

Then it checks the system time to be valid and if the process is debugged in which case it quits.

Next the worm installs by self-copying in %system% directory with the name hint.exe; sets

[windows]
load=%system%\hint.exe

in %windir%\win.ini and starts harvesting for email address and send mails.

The following file types are scanned for email addresses:
wab
pl
adb
tbb
html
xml
cfg
vbs
msg
bdx
uin
jsp
asp
cgi
php
sht
mht
ods
log
htm
mbx
nch
eml
txt

The sender may be one of the following: kevin@, huck@, george@, mike@, andrew@ or jose@ with different domain names.

There is a never used string saying:
-={ 4tt4(k 4g4!n$t N3tSky, B34gl3, MyD00m, L0vG4t3, N4ch!, Bl4st3r }=-

It was compiled with Visual C++ 6.00 and packed with FSG 2.0.



Removal instructions:
Manual removal:
* open Task Manager by pressing [CTR]+[ALT]+[DEL] in Win9X/ME or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP
* use End Process in Processes tab on hint.exe
* open Registry Editor typing [WIN]+[R]regedit[ENTER]
* delete the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
* delete %system%\hint.exe

Automatic removal: let BitDefender disinfect infected files


Removal tool:
N/A
Virus analyzed by:
Mircea Ciubotariu BitDefender Virus Researcher

Cheers

 

Some info:

The latest mass-mailing worm is more annoying than dangerous, but Atak is interesting because it hides from antivirus researchers by going to sleep when it is being analysed


Atak was first discovered on Monday and although antivirus companies do not expect it to cause much damage, they say it will be a nuisance because it can generate a large amount of spam.


Graham Cluley, senior technology consultant for antivirus firm Sophos, said malware authors try to make the job of the antivirus researchers as difficult as possible by adding confusing code and using evasion techniques.


"Atak tries to tell when someone is stepping through the code to analyse whether it is a virus or not. Often, a virus will contain lots of code that is designed to make it more complicated for AV companies to write the detections," said Cluley.


Mikko Hyppönen, director of antivirus research at Finnish company F-Secure, explained that although it is standard practice for virus writers to protect their malware, this worm is exceptional.


"It is standard for worms to have layers of encryption -- or armouring -- to keep out snoopers, but this goes way beyond that. It tries actively to detect if it is being analysed by antivirus research tools. If it thinks it is being analysed, it stops running and shuts down," said Hyppönen.


Atak is not thought to be a serious threat, but because of recent detection and in-built protection, the worm's full functionality has not yet been fully analysed. However, it is known that the worm contains text that seems to threaten other well-known worms and viruses, such as MyDoom, Bagle and Netsky.


Hyppönen said there is a possibility that Atak will try to seek out and destroy 'rival' worms.


"We haven't been able to figure out if Atak tries to disable some of these viruses. The message implies it does contain some code that attacks other viruses," said Hyppönen.

rgds,
Martin