Email-Worm.Win32.Atak.c, W32/[email protected]
, WORM_ATAK.GEN, W32/[email protected]
Win32.Atak.D, Win32/Atak.D.Worm, W32/[email protected]
, W32/Atak-B, Email-Worm.Win32.Mydoom.ad
Category: Computer Worm
Active & Spreading
03 Dec 2004
This mass mailing Worm scans certain files in the infected computer system in order to harvest email addresses that it can use to spread its codes. The [email protected]
program makes use of its built-in SMTP engine to send its spiked email messages to the harvested accounts.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
The email message sent by the [email protected]
malware usually makes use of a spoofed email address in the "From" field of the message. It has been observed to make use of names like Huck, Jose, Vladimir, Hanson, Linda, and Jane among others. All of these names of course are bogus. The subject line of the email address can be randomly picked from a list of possibilities prepared by the malicious author. Like most mass mailing Worms, the [email protected]
program also makes use of a file attachment which normally uses the ZIP, BAT, SCR, EXE, PIF, or COM file extension. The email addresses recovered by the malware can be harvested from a number of files stored in the local hard drive of the infected machine. File extensions like EML, NCH, MBX, LOG, JSP, CGI, MSG, ADB, and WAB are but some types that the malware looks for to get target email addresses.
During the execution of the [email protected]
malware, it normally places the svrhost.exe file in the System folder of the Windows directory. Correspondingly, a Windows Registry key will be created for the Worm. An entry will also be appended into the Windows initialization file. These steps are done to ensure that the malware will load automatically together with the operating system. Once the Worm loads on boot up or startup, it will immediately attempt to illegally terminate processes and programs that are associated to system security. There is a possibility that Windows Registry key entries for these programs and protocols may be removed by the malware.