Aliases: Trojan.Win32.Atendo, W32/Payfor@M, WORM_ATENDO.A, Win32/Atendo
Variants: Trojan.Win32.Atendo, Trojan:Win32/Atendo, Win32:Trojan-gen, Win32/Payfor.A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia
Removal: Hard
Platform: W32
Discovered: 27 Jun 2003
Damage: Medium

Characteristics: The W32.Atendo@mm program is another type of Worm which scans the contents of the Microsoft Outlook Inbox of the infected computer user. This Worm functions by answering all messages in the Inbox to spread its codes to other computer systems. It attempts to remove certain files from the machine.

More details about W32.Atendo@mm

Designed as a Portable Executable (PE) file created from the Visual C++ programming language, the W32.Atendo@mm program is closely associated with the NAV32.EXE, ATENDIMENTO.DOC.EXE, NAV-32.EXE, and the D.EXE files. These files are normally used by the malware as attachments to spiked email messages which it sends out using the Inbox messages of the computer user as a reference. According to some antivirus vendors, the scanning of messages is done in the Inbox of the Microsoft Outlook client. This however does not necessarily mean that other email clients are immune from its effects. The W32.Atendo@mm malware makes use of the active Internet connection to send out its email messages. This malware reportedly extracts its file components into the System folder of the Windows directory and creates a corresponding Windows Registry key for them. This routine is a basic strategy for most threats to institutionalize the infection.

One of the most damaging payloads associated with this Worm is its ability to delete files and replace the original with its own codes without arousing user suspicion. Supposedly, files using the EXE, XLS, DOC, MDB, DBX, TOP, PST, WPNT, WPTO, WPE, and WPE formats are targeted by this malware. To prevent the user from discovering the removal of these file types, the W32.Atendo@mm program recreates these files using the contents of the Payback.doc file which is stored in C:\ ARQUIV~1\ NORTON~1 directory folder location. It also appends the text "certified Virus Free" at the end of each email message as part of its routine to deceive the recipient.