W32/Atak-E is a mass-mailing worm.
When run the worm copies itself to the Windows system folder as
dapdll.exe. On W9x systems W32/Atak-E inserts the following line
under [wiundows] class of the WIN.INI file so as to auto-start
on user logon:
load=%SYSTEM%\dapdll.exe
On W2k systems the following registry entry is modified:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
%SYSTEM%\dapdll.exe
W32/Atak-E will harvest email addresses by scanning the logical drives
for files with the following extensions:
LOG HTML MSG EML MHT DBX ASP PHP JSP HTM TXT
Sent emails can take the following forms:
Subject chosen from:
Second Match!
Time is running out!
Message body:
Greet to you <inserted name>,
Congratulation! Your account has been upgraded with our new services.
Please visit our website at http://www.<inserted URL> to know about our
features.
Your account info:
--- Email: <inserted email>
--- Password: <inserted password> (temporary password)
Visit our website to get more info at: http://www.<inserted URL>
NOTE: All your account information has been attached as a file
and ready to be printed.
Regard,
<inserted URL> Services Team
The attached ZIP has a randomly generated name and contains a copy of
the worm with one of the following extensions:
BAT, PIF, EXE, COM, SCR