Effects Atak.H does not have any destructive effects. It just spreads via e-mail. Infection strategy Atak.H creates the file DEC25.EXE in the Windows system directory. This file is a copy of the worm. On Windows Me/98/95 computers, Atak.H modifies the WIN.INI file. It adds the following line to the [windows] section:
run = %sysdir%\ dec25.exe
where %sysdir% is the Windows system directory.
By modifying this file, Atak.H ensures that it is run whenever Windows is started. Atak.H creates the following entry in the Windows Registry, on Windows 2003/XP/2000/NT computers only: Means of transmission Atak.H spreads via e-mail. It follows the routine below: - It reaches the computer in e-mail messages with variable characteristics that pass themselves off as Christmas greetings:
Sender:
Atak.H spoofs the e-mail address from which it is sent. This may cause confusion. For further information, click here.
Subject: one of the following:
Happy New Year!
Merry X-Mas!
Message: it is written in HTML format, and can be any of the following phrases:
Attachments: the attached file is usually compressed in ZIP format, and has any of the following names: BAT, COM, PIF, SCR.
The name of the decompressed file as the original, and has a BAT, COM, PIF or SCR extension.
The attached file could also reach the computer without being compressed. - The computer is affected when the attached file is run.
- Atak.H searches for e-mail addresses in those files having any of the following extensions: ASP, DBX, EML, HTM, HTML, JSP, LOG, MHT, MSG, PHP and TXT.
- Atak.H sends itself out to all the addresses it has gathered, using its own SMTP engine.
Further Details Atak.H is written in the programming language VC++ 5. This worm is 10,805 bytes in size and it is compressed with FSG. Additionally, Atak.H creates the mutex 2k5 in order to prevent two copies of the worm from being run at the same time. |