W32/Attech-A

Aliases	Email-Worm.W32.Rivon.a
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email attachments Network shares
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	28 November 2004 17:41:03 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Please contact technical support.

More Information

Summary
Action
More Information

W32/Attech-A is a worm that spreads via email and common file sharing networks.

The emails sent by the worm have forged from addresses and the following
characteristics:

Subject line: one of

Microsofts SP2
Save
Test The New Sophos Anti-Virus
Bug Fix For NOD32
New worms

Body text: one of

Microsoft have relase SP2, run the attechment and it will download SP2 To you

Save the file on your disk!

I send to you the test Sophos AV.

In the attechment we send you the new version of NOD32 Patch

If you have (or if you think) that you have on your PC undetected virus/worm
then run the progi in the attechment.

Attached file: one of

SP2.exe
Save_Me.exe
Sophos_3.89.exe
NOD32_Fix.exe
Kaspersky_Lab.exe

W32/Attech-A collects email addresses from files whose extension is one of HTT, HTM, HTML, HTA, HTE, HTX, SHTML, STM, ASP, XML, DOC, RTF, TXT, DBX, PHP, PHP3, PTHML, JSP, SQL, EML, INI, TBB or TBI.

The worm copies itself to the file Download.exe in the Windows folder and Cro.exe in the StartMenu folder. The worm will also copy itself to the following filenames on the floppy disk if one is present:

matrix.exe
rj3_vc1.exe
Speed.exe

W32/Attech-A attempts to spread through filesharing networks by copying itself to the "shared" folders of the following applications:

Edonkey2000
eMule
Grokster
ICQ
iMesh
KaZaA
Kmd
Morpheus
limewire

The worm uses the following filenames:
Dr_Divix.exe
Fifa 2005.exe
Kaspersky_creck.exe
NBA_Live_2005.exe
Nero 6.6.0.0.exe
Norton Antivirus 2005.exe
PS2Emulator.exe
Pamela Nude.scr
PowerDVD.exe
WinRAR 3.40 Final.exe

W32/Attech-A makes the Windows system folder accessible as a network share named "xpu". The worm informs the author of its presence by email.

The worm creates or modifies the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
<basename> = <path>
(where <path> is the full path to the worm executable and <basename> is its filename without the extension)

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Download = C:\Windows\Download.exe

HKCU\Software\Microsoft\Internet Explorer\Main\
ShowGoButton = "no"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoRun = "1"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoClose = "1"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoFileMenu = "1"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoFind = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoUserNameInStartMenu = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDrives = dword:03ffffff

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoControlPanel = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDisconnect = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoNetworkConnections = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoChangeStartMenu = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoSharedDocuments = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoSMMyMusic = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoSMMyPictures = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoSMMyDocs = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoSetTaskbar = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoStartMenuMorePrograms = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoSMHelp = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoRecentDocsMenu = "1"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoViewContextMenu = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoWinKeys = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoBandCustomize = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoPropertiesMyComputer = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoCDBurning = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoStartMenuNetworkPlaces = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoStartMenuMFUprogramsList = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HideClock = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoFolderOptions = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoWindowsUpdate = "1"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun = "1"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\
1 = "services.msc"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\
2 = "gpedit.msc"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\
3 = "msconfig.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\
4 = "secpol.msc"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\
5 = "sysedit.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\
6 = "cmd.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\
7 = "mmc.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\
8 = "progman.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\
9 = "ntbackup.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\
10 = "rsop.msc"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableRegistryTools = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
NoDevMgrPage = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
NoDispSettingsPage = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
NoProfilePage = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
NoAdminPage = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
NoDispScrSavPage = 1

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\
NoBrowserClose = 1

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\
NoBrowserOptions = 1

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\
NoFileNew = 1

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\
NoFileOpen = 1

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\
NoFindFiles = 1

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\
NoSelectDownloadDir = 1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
NoDesktop = 1

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\
DisableSR = 1

HKCU\Control Panel\Keyboard\
KeyboardDelay = "9"

HKCU\Control Panel\Mouse\
DoubleClickSpeed = "100"

HKCU\Control Panel\Mouse\
MouseSensitivity = "5"

HKCU\Control Panel\Mouse\
MouseSpeed = "0"

HKCU\Control Panel\Mouse\
SwapMouseButtons = "1"

W32/Attech-A closes applications whose title matches any of the following:

Norton
AVP
AVP Monitor
Sygate Personal Firewall Pro
NOD32 Antivirus Program - [My Profile]
NOD32 Control Center
eTrust Antivirus - Local Scanner
F-Secure Anti-Virus
My Computer
Registry Monitor
Kaspersky Anti-Virus Monitor
HijackThis
Anti-Virus
BlackICE
BitDefender Sheild
BitDefender
My Documents
Process Explorer - Sysinternals: www.sysinternals.com
Registry Monitor - Sysinternals: www.sysinternals.com
Norton AntiVirus Porfessional
Windows Security Center
Windows Firewall
Control Panel
Run
Turn Off Computer
Log off Windows
Command Prompt
Kaspersky Anti-Virus personal
AVG E-Mail Server Edition - Advanced Interface
AVG E-Mail Server Edition - Basic Interface
AVG E-Mail Server Edition - Control Centerr
Pop3trap
Ad-Aware SE Personal
Spybot - Search & Destroy
Sophos Anti-Virus - SWEEP
Anti-Trojan - Infection Monitor
Norton Antivirus
Registry Editor
Windows Task Manager
System Configuration Utility
Services
AntiViral Toolkit Pro
Kaspersky Anti-Virus Scanner
Ad-aware 6.0 Personal
System Restore
WinPatrol

The worm adds entries to the Windows HOSTS file mapping the following hosts to the loopback address:

www.symantec.com
www.sophos.com
www.avast.com
www.mcafee.com
www.f-prot.com
www.f-secure.com
www.avp.com
www.kaspersky.com
www.trendmicro.com
www.bitdefender.com
www.my-etrust.com
www.eset.com
www.norman.com
www.grisoft.com
www.pandasecurity.com

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Attech-A

Summary

Action

More Information