Virus

W32/Atak.A!worm

Analysis


Specifics
This 32-bit mass-mailer uses a stealth instruction to avoid being analyzed, "IsDebuggerPresent". Aside of this, the virus is not spectacular and is otherwise not interesting. The virus is packed with a file size of 15,917 bytes. While running in memory, the virus can be referenced by the Mutex "SloperMtx".


Loading At Windows Startup
When the virus is run, it will copy itself to the System32 folder and register to auto-run at each Windows startup.


Mass-mailing Routine
The virus will harvest emails from the host system by scanning files of certain extensions for what is considered a valid email address, avoiding email addresses with the string "spam". The virus will look in files with these extensions -

wab
p
adb
tbb
html
xml
cfg
vbs
msg
dbx
uin
jsp
asp
cgi
php
sht
mht
ods
log
htm
mbx
nch
eml
txt

Next the virus uses its own SMTP code to attempt to log into MX servers which could exist for each found email address. For instance, the virus will use these server names as MX servers, where "undefineds" is the target email address domain name, such as yahoo.com -

gate.undefineds
ns.undefineds
relay.undefineds
mail1.undefineds
mxs.undefineds
smtp.undefineds
mail.undefineds
mx-a.mail.undefineds
bjmx.undefineds
mta.undefineds
mx4.mail.undefineds
mx3.mail.undefineds
mx2.mail.undefineds
mx1.mail.undefineds
mx4.undefineds
mx3.undefineds
mx2.undefineds
mx1.undefineds
mx.undefineds

The subject and body text are variable with only a couple of different possibilities, and the virus tries to attach itself to the email.


Miscellaneous
The virus contains this string in its body which is never displayed -

-={ 4tt4(k 4g4!n$t N3tSky, B34gl3, MyD00m, L0vG4t3, N4ch!, Bl4st3r }=-

The above string could be interpreted as the following -

-={ attack against NetSky, Beagle, MyDoom, LovGate, Nachi, Blaster }=-


Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option