1. Symantec/
  2. Security Response/
  3. W32.Ackantta@mm


Risk Level 2: Low

December 3, 2008
December 3, 2008 2:45:35 PM
Also Known As:
W32/Xirtem@MM [McAfee], WORM_MYDOOM.CG [Trend], Backdoor:W32/SdBot.CNJ [F-Secure], Win32/Mytob.OO [Computer Associates], P2PShared.U [Panda Software]
Trojan, Worm
Infection Length:
Systems Affected:
W32.Ackantta@mm is a worm that spreads using several methods including email and removable drives. It is used primarily as a platform to install revenue generating payloads. It also has stealth capabilities and attempts to disrupt the operations of security software.

The Ackantta worm has been frequently refined since its emergence in December of 2008. Ackantta variants primarily used three main methods of propagation, these are:

  • Email with attachments
  • Copying to removable drives and network shares
  • Copying to P2P shared folders

In addition, some more recent variants also made use of file infection as a means of spreading. The file infection method is not of the traditional viral code infection where executable files are modified with viral code. Instead Ackantta took two different variations of this theme:

  • Modifying HTML files on Apache and IIS Web servers to serve up links to a copy of the worm.
  • Repackaging existing .exe and .msi files to include a copy of the worm.

Using all the different methods to propagate helps Ackantta to achieve a relatively high rate of infection.

When it is sent out through email, the worm is usually delivered together with a social engineering lure. The most common lure used by Ackantta emails is that of an ecard. This is likely chosen because the ecard subject matter is suitable for use with a whole variety of annual occasions including St Valentines day, Easter, new year and Christmas.

When copying itself to removable/network drives and P2P shared folders, Ackantta attempts to disguise itself with tempting file names. The file names make it appear as if the worm file was a full copy of or a crack or key generator for popular commercial applications or games.

Ackantta initially appeared with a relatively basic collection of features. It performs the usual activities associated with malwares, that is it drops various files and manipulates the registry to install itself. During the installation process, it attempts to identify and disable various software that may be present on the compromised computer to try and ensure that it can run for as long as possible without being detected. It may do this by terminating processes or services and manipulating the registry to prevent targeted software from running in the first place.

It then attempts to contact various remote servers to establish whether it is actually connected to the Internet and if so attempt to download additional files from other remote locations.

Revenue generation appears to be the motivation behind the development and spread of Ackantta. It tries to achieve this by downloading additional malware files. It is known that some variants of Ackantta may download and install copies of Trojan.Awax, Trojan.Vundo and W32.Mozipowp, the latter two are associated with the displaying of adverts on compromised computers. By doing this, the people responsible for Ackantta are likely to be earning commission from affiliate schemes for infected hosts and also revenue from adverts.

Some variants of Ackantta may also open a back door allowing an attacker to run commands and also log key strokes adding yet another potential revenue stream in terms of stolen account credentials.

Removal tool

A removal tool has been created to repair files infected by W32.Ackantta.H@mm. The infected files are detected as W32.Ackantta!Dr.

Symantec has observed the following geographic distribution of this threat.

Symantec has observed the following infection levels of this threat worldwide.

The following content is provided by Symantec to protect against this threat family.

Antivirus signatures

Antivirus (heuristic/generic)

Antivirus Protection Dates

  • Initial Rapid Release version December 3, 2008 revision 003
  • Latest Rapid Release version March 3, 2018 revision 009
  • Initial Daily Certified version December 3, 2008 revision 004
  • Latest Daily Certified version August 9, 2016 revision 001
  • Initial Weekly Certified release date December 3, 2008
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Hon Lau

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube