W32/Atak-G

Please follow the instructions for removing worms.

Editing Win.ini

At the taskbar, click Start|Run and type Sysedit. Bring Win.ini to the front. In the [windows] section, search for a line beginning with 'Load=' and delete any references to the files you removed. Delete only that reference, not any other text.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry for each user who ran the virus. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export Range' panel, click 'All', then save your registry as Backup.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Path to worm>

and remove any reference to any file you deleted.

Close the registry editor.

W32/Atak-G is a Windows worm that spreads via email. W32/Atak-G copies itself to a file with a random name in the Windows system folder.

W32/Atak-G sends itself to all email addresses found on the computer.

The worm arrives as a ZIP attachment in an email. The subject line, message text and attachment filenames are randomly constructed from the building blocks listed in the Advanced Description. W32/Atak-G is a Windows worm that spreads via email. W32/Atak-G copies itself to a file with a random name in the Windows system folder.

On W9x systems W32/Atak-G inserts a 'load=' entry under the [windows] class of the WIN.INI file pointing to the worm so as to auto-start on user logon.

On NT, W2k and XP systems, the worm creates the following registry entry to autorun on windows logon:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Path to worm>

W32/Atak-G sends itself to all email addresses found on the system. The worm harvests addresses from files with various extensions such as HTM, EML, ASP or DBX.

The worms email will have the following characteristics:

Attachment name: chosen from

separate_file.zip
textfile.zip
print.zip
note.zip
white_paper.zip
part001.zip

Subject Lines:

<random1> Love <random2> <smiley>

where the random parts are selected from the following lists.

<random1>:

Stay
True
Get
Make
Have a

<random2>:

human spirit
Not Wars
and get money
for fun
will freedom
to other
with me
Not spam

<smiley >:
:D
;)
:>
;-D
- ;-*
!!
!?!
:K

An example is 'Have a Love to other :>'.

The message starts with a greeting of the form
<random1> <random2>,'

with <random1> selected from:

Dear
Congratulation
Welcome
Greet
Hi
Hello
Nice to meet you

and <random2> one of:

Ladies & Gentleman
Sir/Madam
Person
Customer
User

An example is 'Welcome User,'.

After the greeting appears one of the following lines:

We have installed our anti-spam tools to protect your email
Your account info has been setting up to block spam email
We have make a few change for our customer. Please be informed
We have upgraded your account features
Your account has been upgraded with our new services

followed by another randomly assembled line of the format
<random1> website at http://www.<domain> to <random2>

with <random1> choosen from:

Please check our
Visit our
Goto our
Logon to

and <randome2> selected from:

know about account features
learn about our features
get more info
find out our services.

The domainname is either harvested from the system or randomly constructed.

The next part of the email message is one of the following lines:

Remember this note
Please take note this info
Keep this info
Your account info

followed by

---> Email: <email>
---> Password: <password> <text>

<email> is a randomly constructed email address for the domainname that was
choosen previously. The password is a random string. <text> is choosen
randomly from the following:

• [please change it after registeration]
• (You can change it later)
• (temp. pwd only)
• (temporary password).

The next line in the email has the format
<random1> website to <random2> http://www.<domain> .

with <random1> one of:

Please check our
Visit our
Goto our
Logon to

and <random2> selected from:

know about account features
learn about our features
get more info
find out our services.

The last line has the format
<random1>ormation <random2>.
with <random1> one of:

Saved
Email account
Your credential
Your account
NOTE: All your account

and <random2> choosen from:

has been saved. Please check when needed
can be found at your email attachment
has been clipped to your email
already included into your email
has been attached as a file and ready to be printed.

The email ends with a greeting of the form
<random1>, <domain> <random2>

with <random1> selected from:
By
Thank you
Your sincerely
Regard

and <random2> one of:

Help Team
Technical Support
Customer Services
Administrator
Services Team
Team.

An example for an email is:
Welcome Sir/Madam,

We have installed our anti-spam tools to protect your email.
Please check our website at http://www.microsoft.com to know about account
features.

Your account info:

---> Email: inet@microsoft.com
---> Password: 2aff (temporary password)

Please check our website to learn about our features
http://www.microsoft.com .

Your account information has been saved. Please check when needed.

Your sincerely,
microsoft.com Team