Aliases: W32/Atnas.A.worm
Variants: Atnas.A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Europe
Removal: Easy
Platform: W32
Discovered: 13 Jul 2007
Damage: Low

Characteristics: Belonging to a group of malware known for taking advantage of the functionalities of file sharing programs and networks, the W32.Atnas.A program makes use of this computer structure to distribute its codes. This malware is also known for its ability to initiate a Distributed Denial of Service attack on various systems.

More details about W32.Atnas.A

The System32 folder of the Windows directory is the initial target of this malware. This location is used by the W32.Atnas.A program to extract the winlib32.exe, snd32_win.exe, and a randomly named executable file composed of two strings. The two strings that make up the random file name is usually chosen from the words win, reg, hook, w32, sp32, mic, lib, dos, cbf, load, dll, service, and _i386 in an attempt to make the file look legitimate. The whandle.dll file is created also in the System32 folder. This is a text file used to list the processes currently active in the infected computer system. Two other files named err.msg and santas.bitch.txt are created by the W32.Atnas.A malware. The executable files of the enumerated processes are targeted by this malware and replaced with a copy of the Worm's codes. This is achieved by first renaming the target executable file and then creating the copy of the malware using the filename of the replaced EXE file type.

Executable files of system critical tools like the Registry Editor, Windows Task Manager, and System Configuration Utility are allegedly targeted by the W32.Atnas.A program and replaced with a copy of its codes. After successfully doing this, it starts renaming the executable files associated with file sharing programs. The folder Fuck_U_Man will be created by this malware followed by the placing of multiple copies of its codes into the shared folders of the P2P applications. Specific websites mostly in Germany are targeted with a Distributed Denial of Service attack by this malware.