1. /
  2. Security Response/
  3. W32.Ackantta@mm

W32.Ackantta@mm

Risk Level 2: Low

Discovered:
December 3, 2008
Updated:
December 3, 2008 2:45:35 PM
Also Known As:
W32/Xirtem@MM [McAfee], WORM_MYDOOM.CG [Trend], Backdoor:W32/SdBot.CNJ [F-Secure], Win32/Mytob.OO [Computer Associates], P2PShared.U [Panda Software]
Type:
Trojan, Worm
Infection Length:
Varies
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
W32.Ackantta@mm is a worm that spreads using several methods including email and removable drives. It is used primarily as a platform to install revenue generating payloads. It also has stealth capabilities and attempts to disrupt the operations of security software.

Infection
The Ackantta worm has been frequently refined since its emergence in December of 2008. Ackantta variants primarily used three main methods of propagation, these are:

  • Email with attachments
  • Copying to removable drives and network shares
  • Copying to P2P shared folders

In addition, some more recent variants also made use of file infection as a means of spreading. The file infection method is not of the traditional viral code infection where executable files are modified with viral code. Instead Ackantta took two different variations of this theme:

  • Modifying HTML files on Apache and IIS Web servers to serve up links to a copy of the worm.
  • Repackaging existing .exe and .msi files to include a copy of the worm.

Using all the different methods to propagate helps Ackantta to achieve a relatively high rate of infection.

When it is sent out through email, the worm is usually delivered together with a social engineering lure. The most common lure used by Ackantta emails is that of an ecard. This is likely chosen because the ecard subject matter is suitable for use with a whole variety of annual occasions including St Valentines day, Easter, new year and Christmas.



When copying itself to removable/network drives and P2P shared folders, Ackantta attempts to disguise itself with tempting file names. The file names make it appear as if the worm file was a full copy of or a crack or key generator for popular commercial applications or games.



Functionality
Ackantta initially appeared with a relatively basic collection of features. It performs the usual activities associated with malwares, that is it drops various files and manipulates the registry to install itself. During the installation process, it attempts to identify and disable various software that may be present on the compromised computer to try and ensure that it can run for as long as possible without being detected. It may do this by terminating processes or services and manipulating the registry to prevent targeted software from running in the first place.

It then attempts to contact various remote servers to establish whether it is actually connected to the Internet and if so attempt to download additional files from other remote locations.

Revenue generation appears to be the motivation behind the development and spread of Ackantta. It tries to achieve this by downloading additional malware files. It is known that some variants of Ackantta may download and install copies of Trojan.Awax, Trojan.Vundo and W32.Mozipowp, the latter two are associated with the displaying of adverts on compromised computers. By doing this, the people responsible for Ackantta are likely to be earning commission from affiliate schemes for infected hosts and also revenue from adverts.

Some variants of Ackantta may also open a back door allowing an attacker to run commands and also log key strokes adding yet another potential revenue stream in terms of stolen account credentials.


Removal tool

A removal tool has been created to repair files infected by W32.Ackantta.H@mm. The infected files are detected as W32.Ackantta!Dr.



GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.






PREVALENCE
Symantec has observed the following infection levels of this threat worldwide.




SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.


Antivirus signatures


Antivirus (heuristic/generic)

Antivirus Protection Dates

  • Initial Rapid Release version December 3, 2008 revision 003
  • Latest Rapid Release version June 24, 2014 revision 006
  • Initial Daily Certified version December 3, 2008 revision 004
  • Latest Daily Certified version May 29, 2013 revision 003
  • Initial Weekly Certified release date December 3, 2008
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: 0 - 49
  • Number of Sites: 0 - 2
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Easy

Damage

  • Damage Level: Medium
  • Payload: Opens a back door on the compromised computer.
  • Large Scale E-mailing: Sends a copy of itself to email addresses gathered from the compromised computer.
  • Modifies Files: May inject HTML code into .htm/.html files
  • Releases Confidential Info: Logs keystrokes typed into the compromised computer.
  • Compromises Security Settings: Attempts to disrupt operations of security related processes.

Distribution

  • Distribution Level: High
  • Subject of Email: Varies
  • Name of Attachment: coupon.zip, promotion.zip, postcard.zip and many others.
  • Shared Drives: Copies itself to shared and removable drives.
  • Target of Infection: Also targets P2P application folders and Apache and IIS Web servers.
Writeup By: Hon Lau

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver