信息来源:A^C^E
W32.Atak.B@mm is a mass-mailing worm that uses its own SMTP engine to send its messages to the email addresses it gathers from certain files on a compromised computer.
When W32.Atak.B@mm is executed, it performs the following actions:
When the attachment is executed, it copies itself as %System%\a1g.exe.
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Adds the following line to the Win.ini file so that it executes every time Windows starts:
load = %System%\a1g.exe
Adds the value:
load=%sysdir%\a1g.exe
to the registry key:
HKEY_CURRRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows
so that W32.Atak.B@mm runs every time Windows starts.
Creates the mutex mtxSSS to prevent two copies of the worm from being run at once.
The executable extension used is one of the following:
.scr
.com
.exe
.pif
.bat
Note: The worm can have a double extension consisting of blank spaces and an executable extension.
Uses its own SMTP engine to send itself to the email addresses that it gathers from the files with the following extensions:
log
eml
mht
dbx
asp
php
jsp
htm
txt
Avoids email addresses containing any of the following substrings:
support
submit
none
virus
anti
samples
microsoft
The email has the following characteristics:
From: [random email address that was collected]
Subject: (One of the following)
It's begin here!
First Match!
microsoft
Body: (One of the following)
Hello [random username from one of the email addresses collected]
Your request has been accepted
Your account info:
>> Email:
>> Password: [random characters]
Visit our website to get more info at:
http://www.[domain matches the username given in the 'Hello' line]
NOTE: All your account information has been attached as file and ready to be printed.
The worm is a 12,037-byte compressed file, which is given a file name consisting of three to seven random letters. Due to a bug, most common decompression utilities are unable to decompress the file.
The worm is written in the programming language VC++ 5.
