How about this new virus "Win32.Atak.A@mm"

Discussion in 'NOD32 version 2 Forum' started by martindijk, Jul 12, 2004.

Thread Status:
Not open for further replies.
  1. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    Last edited: Jul 13, 2004
  2. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    Last edited: Jul 13, 2004
  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Here is the info from that site:

    Name: Win32.Atak.A@mm
    Aliases: n/a
    Type: Executable Worm Mass Mailer
    Size: 15917 bytes (packed with FSG 2.0)
    Discovered: 12.07.2004
    Detected: 12.07.2004
    Spreading: Medium
    Damage: Low
    In The Wild: Yes

    Symptoms:
    Presence of hint.exe in %system% (e.g. C:\Windows\System32) folder and in processes list.

    The registry key "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" containing the string "load" which points to "%system%\hint.exe".


    Technical description:
    This worm is a tipycal mass-mailer arriving in infected attachments with double extesion names.

    When run it attempts to create the mutex SloperMtx to avoid a duplicate process running simultaneously.

    Then it checks the system time to be valid and if the process is debugged in which case it quits.

    Next the worm installs by self-copying in %system% directory with the name hint.exe; sets

    [windows]
    load=%system%\hint.exe

    in %windir%\win.ini and starts harvesting for email address and send mails.

    The following file types are scanned for email addresses:
    wab
    pl
    adb
    tbb
    html
    xml
    cfg
    vbs
    msg
    bdx
    uin
    jsp
    asp
    cgi
    php
    sht
    mht
    ods
    log
    htm
    mbx
    nch
    eml
    txt

    The sender may be one of the following: kevin@, huck@, george@, mike@, andrew@ or jose@ with different domain names.

    There is a never used string saying:
    -={ 4tt4(k 4g4!n$t N3tSky, B34gl3, MyD00m, L0vG4t3, N4ch!, Bl4st3r }=-

    It was compiled with Visual C++ 6.00 and packed with FSG 2.0.



    Removal instructions:
    Manual removal:
    * open Task Manager by pressing [CTR]+[ALT]+[DEL] in Win9X/ME or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP
    * use End Process in Processes tab on hint.exe
    * open Registry Editor typing [WIN]+[R]regedit[ENTER]
    * delete the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
    * delete %system%\hint.exe

    Automatic removal: let BitDefender disinfect infected files


    Removal tool:
    N/A
    Virus analyzed by:
    Mircea Ciubotariu BitDefender Virus Researcher

    Cheers :D
     
  4. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    Some info:

    The latest mass-mailing worm is more annoying than dangerous, but Atak is interesting because it hides from antivirus researchers by going to sleep when it is being analysed


    Atak was first discovered on Monday and although antivirus companies do not expect it to cause much damage, they say it will be a nuisance because it can generate a large amount of spam.


    Graham Cluley, senior technology consultant for antivirus firm Sophos, said malware authors try to make the job of the antivirus researchers as difficult as possible by adding confusing code and using evasion techniques.


    "Atak tries to tell when someone is stepping through the code to analyse whether it is a virus or not. Often, a virus will contain lots of code that is designed to make it more complicated for AV companies to write the detections," said Cluley.


    Mikko Hyppönen, director of antivirus research at Finnish company F-Secure, explained that although it is standard practice for virus writers to protect their malware, this worm is exceptional.


    "It is standard for worms to have layers of encryption -- or armouring -- to keep out snoopers, but this goes way beyond that. It tries actively to detect if it is being analysed by antivirus research tools. If it thinks it is being analysed, it stops running and shuts down," said Hyppönen.


    Atak is not thought to be a serious threat, but because of recent detection and in-built protection, the worm's full functionality has not yet been fully analysed. However, it is known that the worm contains text that seems to threaten other well-known worms and viruses, such as MyDoom, Bagle and Netsky.


    Hyppönen said there is a possibility that Atak will try to seek out and destroy 'rival' worms.


    "We haven't been able to figure out if Atak tries to disable some of these viruses. The message implies it does contain some code that attacks other viruses," said Hyppönen.

    rgds,
    Martin
     
Thread Status:
Not open for further replies.