Trojan.Win32.Atendo, W32/[email protected]
, WORM_ATENDO.A, Win32/Atendo
Trojan.Win32.Atendo, Trojan:Win32/Atendo, Win32:Trojan-gen, Win32/Payfor.A
Category: Computer Worm
Active & Spreading
27 Jun 2003
The [email protected]
program is another type of Worm which scans the contents of the Microsoft Outlook Inbox of the infected computer user. This Worm functions by answering all messages in the Inbox to spread its codes to other computer systems. It attempts to remove certain files from the machine.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
Designed as a Portable Executable (PE) file created from the Visual C++ programming language, the [email protected]
program is closely associated with the NAV32.EXE, ATENDIMENTO.DOC.EXE, NAV-32.EXE, and the D.EXE files. These files are normally used by the malware as attachments to spiked email messages which it sends out using the Inbox messages of the computer user as a reference. According to some antivirus vendors, the scanning of messages is done in the Inbox of the Microsoft Outlook client. This however does not necessarily mean that other email clients are immune from its effects. The [email protected]
malware makes use of the active Internet connection to send out its email messages. This malware reportedly extracts its file components into the System folder of the Windows directory and creates a corresponding Windows Registry key for them. This routine is a basic strategy for most threats to institutionalize the infection.
One of the most damaging payloads associated with this Worm is its ability to delete files and replace the original with its own codes without arousing user suspicion. Supposedly, files using the EXE, XLS, DOC, MDB, DBX, TOP, PST, WPNT, WPTO, WPE, and WPE formats are targeted by this malware. To prevent the user from discovering the removal of these file types, the [email protected]
program recreates these files using the contents of the Payback.doc file which is stored in C:\ ARQUIV~1\ NORTON~1 directory folder location. It also appends the text "certified Virus Free" at the end of each email message as part of its routine to deceive the recipient.