Home / malwarePDF  

Win32.Atak.A@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Atak.A@mm is also known as n/a.

Explanation :

This worm is a tipycal mass-mailer arriving in infected attachments with double extesion names.

When run it attempts to create the mutex SloperMtx to avoid a duplicate process running simultaneously.

Then it checks the system time to be valid and if the process is debugged in which case it quits.

Next the worm installs by self-copying in %system% directory with the name hint.exe; sets

[windows]
load=%system%hint.exe

in %windir%win.ini and starts harvesting for email address and send mails.

The following file types are scanned for email addresses:
wab
pl
adb
tbb
html
xml
cfg
vbs
msg
bdx
uin
jsp
asp
cgi
php
sht
mht
ods
log
htm
mbx
nch
eml
txt

The sender may be one of the following: kevin@, huck@, george@, mike@, andrew@ or jose@ with different domain names.

There is a never used string saying:
-={ 4tt4(k 4g4!n$t N3tSky, B34gl3, MyD00m, L0vG4t3, N4ch!, Bl4st3r }=-

It was compiled with Visual C++ 6.00 and packed with FSG 2.0.

Last update 21 November 2011

 

TOP