Home / malwarePDF  

Win32.Atak.C@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Atak.C@mm is also known as Win32.Agist.A@mm, WORM_AGIST.A.

Explanation :

This worm is a tipycal mass-mailer arriving in attachments with extensions .exe or .zip

When run it attempts to create a mutex whose name is the current logged user, to avoid a duplicate process running simultaneously.

Then it checks the system time to be valid and if the process is debugged in which case it quits.

Next the worm installs by self-copying in %system% directory with a random 4 characters name ????.exe; then makes sure it will run at startup by setting the "load" entry in win.ini or in [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows] to point to %SYSDIR%\????.EXE

Next, the worm starts searching for valid e-mail addresses if files matching:

.pl .adb .tbb .html .xml .cfg .vbs .msg .dbx .uin .jsp
.asp .cgi .php .sht .mht .ods .log .htm .mbx .nch .eml

Then sends itself using its own SMTP engine, in the following format:

From: (spoofed)

To:

Subject: (one of the following)
Against!
Revenge!

Body:
This is a multi-part message in MIME format.

Attachment:
may be a .exe or a .zip file containing a .exe file with random name

Last update 21 November 2011

 

TOP