W32.Atak@mm

Printer Friendly Page

Discovered: July 13, 2004
Updated: July 14, 2004 11:12:00 AM
Systems Affected: Windows

W32.Atak@mm is a mass-mailing worm that uses its own SMTP engine to send its messages to email addresses it gathers from certain files on the compromised computer.

Discovered: July 13, 2004
Updated: July 14, 2004 11:12:00 AM
Systems Affected: Windows

W32.Atak@mm is a mass-mailing worm that sends itself to all email addresses it gathers from files less than 81920 bytes and those with the following extensions:
ASP
CFG
CGI
DBX
EML
HTM
HTML
JSP
LOG
MBX
MHT
MSG
NCH
ODS
PHP
SHT
TBB
UIN
VBS
XML
ADB
WAB

The worm typically arrives as an email message with the following properties:
From one of the following:
kevin
huck
george
mike
andrew
jose

Subject can be one of the following:
Read the Result!
Important Data!
[Blank]

Message body can be one of the following:
Authorized Researcher Only.
[Blank]

The attachment may have a double extension consisting of either JPG or GIF followed by blank spaces and an EXE extension. Alternately, the attachment can be a .zip file that includes a copy of the worm.

When the attachment is executed, the worm creates the following copy of itself:
%System%\Hint.exe

Next, it creates a mutex named "SloperMtx" to ensure that only one instance of the worm is executed on the computer.

It then adds the following line to the Win.ini file so that it executes every time Windows starts:
load = %System%\Hint.exe

The worm also adds the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"load"="%System%\hint.exe"