Thursday, July 15, 2004

Atak mass mailing worm

On the ever updating list of new mass mailing worms, we now have a new contender, known as Atak.

It seems that it copies itself to the system as as %System%\hint.exe and creates a mutex named "SloperMtx" to ensure that only one instance of the worm is executed. On Windows NT/2000/XP, the worm adds the value:

"load"="%System%\hint.exe" to the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

& on Windows 95/98/Me, the worm adds the following line to the [windows] section of Win.ini file:


It sends itself out to addresses that it obtains by running a search on the infected system, with various names as the from address and also various subjects, the attachment is a .zip file that includes a copy of the worm.

Again, it requires user intervention to become infected but the amount of people that still get infected by opening these attachements and then opening the files inside is qiute high - user stupidity is to blame or maybe it is a combination of that and ignorance.

Update your AV software or better still have it auto-update since these updates are released on a daily basis. For a full analysis of the worm go here & here. The worm has said to contain stealth code to try and make analysis more difficult but this has not had much of an effect with regards to debugging and reverse engineering.

Post ID: 443, posted by jase at 11:01 PM
Permalink | TrackBack ID: 416, (2) | Category: Internet | Google Search
Post a comment

Thanks for signing in, . Now you can comment. (sign out)

(If you haven't left a comment here before, you may need to be approved before your comment will appear.)

Remember me?

Valve Media Ltd
Search Engine Compliance