Home / malware Win32.Atak.C@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Atak.C@mm is also known as Win32.Agist.A@mm, WORM_AGIST.A.
Explanation :
This worm is a tipycal mass-mailer arriving in attachments with extensions .exe or .zip
When run it attempts to create a mutex whose name is the current logged user, to avoid a duplicate process running simultaneously.
Then it checks the system time to be valid and if the process is debugged in which case it quits.
Next the worm installs by self-copying in %system% directory with a random 4 characters name ????.exe; then makes sure it will run at startup by setting the "load" entry in win.ini or in [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows] to point to %SYSDIR%\????.EXE
Next, the worm starts searching for valid e-mail addresses if files matching:
.pl .adb .tbb .html .xml .cfg .vbs .msg .dbx .uin .jsp
.asp .cgi .php .sht .mht .ods .log .htm .mbx .nch .eml
Then sends itself using its own SMTP engine, in the following format:
From: (spoofed)
To:
Subject: (one of the following)
Against!
Revenge!
Body:
This is a multi-part message in MIME format.
Attachment:
may be a .exe or a .zip file containing a .exe file with random nameLast update 21 November 2011
