Worm Atak

I read about new worm Atak all writes that he can hide when it suspects that antivirus software is trying to detect it. But how virus can do something like this? Maybe someone know techical detail about this threat?

 

WORM_ATAK.A is a worm that propagates via email, using its own Simple Mail Transfer Protocol (SMTP) engine. It looks for email recipients in files with specific extensions, in the infected computer. It runs on Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this memory-resident worm drops a copy of itself as HINT.EXE in the Windows system folder. This worm modifies the WIN.INI file and the registry, to allow itself to automatically execute at every system startup.

Using its own SMTP (Simple Mail Transfer Protocol) engine to propagate via email, the worm sends email with the following details:

From: (any of the following)

• Andrew
• george
• kevin

Subject: (any of the following)

• Important Data!
• Read the Result!

Message body: Authorized Researcher Only.

Attachment: (any of the following)

• A .zip
• <3-7 random lower-case characters>.zip.

Using double extension names with many spaces in between them, the file contained in the .ZIP attachment is made to appear as a picture file (example: ABCD.GIF. EXE).

The worm obtains target recipients’ email addresses from files with the following extensions found in the local machine:

ADB, ASP, CFG, CGI, DBX, EML, HTM, HTM, JSP, LOG, MBX, MHT, MSG, NCH, ODS, PHP, PL, SHT, TBB, TXT, UIN, VBS, WAB, XML

If you would like to scan your computer for WORM_ATAK.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

WORM_ATAK.A is detected and cleaned by Trend Micro pattern file #937 and above.