Home / malware Win32.Tattona.A@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Tattona.A@mm is also known as W32/Hygui-A.
Explanation :
It arrives trough e-mail in the following format:
Subject:
Incredibile.. or
Urgente! (vedi allegato) or
Qualsiasi cosa fai,falla al meglio. or
Incredible..
Body (English):
Hello,
see this interesting file.
Bye
Body (Italian):
Ciao,
okkio all'allegato ;-) or
devi assolutamente vedere il file che ti ho allegato. or
apri subito l'allegato,e' molto interessante.
A presto…
Attachment:One of the following
-Tattoo.exe
-Euro.exe
-Tettona.exe
After the user opens the attachment the Worm copies itself in Windows directory with the name dllmgr32.exe and adds the following registry key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunDllManage with value: C:Windowsdllmgr32.exe.
Next it displays the following message box:
and it stops.
After the computer restart the worm checks the date and if it is January 12 it displays the following message box:
Next it will open an TCPIP connection and awaits for remote commands becoming a backdoor.
The work sends itself to all e-mail addresses it found in user's address book in the same format it arrives.Last update 21 November 2011
