W32/Atak-G is a Windows worm that spreads via email. W32/Atak-G copies itself to a file with a random name in the Windows system folder.
W32/Atak-G sends itself to all email addresses found on the computer.
The worm arrives as a ZIP attachment in an email. The subject line, message text and attachment filenames are randomly constructed from the building blocks listed in the Advanced Description.
W32/Atak-G is a Windows worm that spreads via email. W32/Atak-G copies itself to a file with a random name in the Windows system folder.
On W9x systems W32/Atak-G inserts a 'load=' entry under the [windows] class of the WIN.INI file pointing to the worm so as to auto-start on user logon.
On NT, W2k and XP systems, the worm creates the following registry entry to autorun on windows logon:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Path to worm>
W32/Atak-G sends itself to all email addresses found on the system. The worm harvests addresses from files with various extensions such as HTM, EML, ASP or DBX.
The worms email will have the following characteristics:
Attachment name: chosen from
separate_file.zip
textfile.zip
print.zip
note.zip
white_paper.zip
part001.zip
Subject Lines:
<random1> Love <random2> <smiley>
where the random parts are selected from the following lists.
<random1>:
Stay
True
Get
Make
Have a
<random2>:
human spirit
Not Wars
and get money
for fun
will freedom
to other
with me
Not spam
<smiley >:
:D
;)
:>
;-D
- ;-*
!!
!?!
:K
An example is 'Have a Love to other :>'.
The message starts with a greeting of the form
<random1> <random2>,'
with <random1> selected from:
Dear
Congratulation
Welcome
Greet
Hi
Hello
Nice to meet you
and <random2> one of:
Ladies & Gentleman
Sir/Madam
Person
Customer
User
An example is 'Welcome User,'.
After the greeting appears one of the following lines:
We have installed our anti-spam tools to protect your email
Your account info has been setting up to block spam email
We have make a few change for our customer. Please be informed
We have upgraded your account features
Your account has been upgraded with our new services
followed by another randomly assembled line of the format
<random1> website at http://www.<domain> to <random2>
with <random1> choosen from:
Please check our
Visit our
Goto our
Logon to
and <randome2> selected from:
know about account features
learn about our features
get more info
find out our services.
The domainname is either harvested from the system or randomly constructed.
The next part of the email message is one of the following lines:
Remember this note
Please take note this info
Keep this info
Your account info
followed by
---> Email: <email>
---> Password: <password> <text>
<email> is a randomly constructed email address for the domainname that was
choosen previously. The password is a random string. <text> is choosen
randomly from the following:
- [please change it after registeration]
- (You can change it later)
- (temp. pwd only)
- (temporary password).
The next line in the email has the format
<random1> website to <random2> http://www.<domain> .
with <random1> one of:
Please check our
Visit our
Goto our
Logon to
and <random2> selected from:
know about account features
learn about our features
get more info
find out our services.
The last line has the format
<random1>ormation <random2>.
with <random1> one of:
Saved
Email account
Your credential
Your account
NOTE: All your account
and <random2> choosen from:
has been saved. Please check when needed
can be found at your email attachment
has been clipped to your email
already included into your email
has been attached as a file and ready to be printed.
The email ends with a greeting of the form
<random1>, <domain> <random2>
with <random1> selected from:
By
Thank you
Your sincerely
Regard
and <random2> one of:
Help Team
Technical Support
Customer Services
Administrator
Services Team
Team.
An example for an email is:
Welcome Sir/Madam,
We have installed our anti-spam tools to protect your email.
Please check our website at http://www.microsoft.com to know about account
features.
Your account info:
---> Email: inet@microsoft.com
---> Password: 2aff (temporary password)
Please check our website to learn about our features
http://www.microsoft.com .
Your account information has been saved. Please check when needed.
Your sincerely,
microsoft.com Team