W32/Attech-D

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Chat programs
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	8 December 2005 03:18:45 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Attech-D is a worm for the Windows platform. This worm is capable of spreading via AOL Instant Messenger.

W32/Attech-D will disable Task Manager, regedit, Windows Explorer and will prevent Internet Explorer from closing.

W32/Attech-D will attempt to send itself to any contacts listed in AIM. It will send a link with one of the following messages:

LMAO OMG THIS IS HILARIOUS!
INFINITE FREE PICS OF ASIAN HOTTIES!
Lol OMG! Someone posted your picture here!
OMG LOOK IT'S YOU!
Cool hacking programs!
Take my Quiz!
Play the new Aim Online game!
Click to join! Better then myspace and xanga!
Check my Pics Out!
Wanna See My Profile!
Download My Profile.
LOL Check these Pics out.
Have you see this!
Download my mp3 i made.
Check out my music!
Funniest Clip Ever!
Download Dead Aim (5.9+)- NEW!
Check out my webcam.
See my Beach pictures!!
Make your own Profile!
THE KEY TO HAPPINESS IS LAUGHTER!
Join this free music site!
View My BuddyProfile
My Xanga!
LOL Watch this clip!
Free Aim Password Cracker. Use it to hack your friends.
This game is badass! Play now!
Email Hacker Pro 1.5 This is awsome! :)
Game Hacker program download here.
Aim Hacker 1.3 FREE!
LOLOL WTF IS THIS?!
Better then limewire and kazaa put together!
Get X-im Chat! Better then AIM!
Best Aim Password Cracker written by ZeX.
Download Aim Optimized 4.9!
Hack Webcams and Aim accounts with O-Hax! This is the last day it will be out for free!

The link attempts to download more malware from a remote site. At time of writing, the downloaded file is detected as W32/Attech-C.

When first run W32/Attech-D attempts to copy itself to:

<Startup>\Dioxin.exe
<System>\Dioxin.exe
<System>\WinDio778.exe
A:\Dioxin.exe

W32/Attech-D will display a message box with the title "Dioxin" and the message text of "FUCKYOU AND EVERYONE ELSE!"

W32/Attech-D will then makes many copies itself to common share folders, as well as peer to peer share folders with such names as <program> crack.exe, <program> patch.exe, <program> keygen.exe.

W32/Attech-D changes the Start Page for Microsoft Internet Explorer by setting the registry entry:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

The following registry entries are set, disabling the registry editor (regedit) and the Windows task manager (taskmgr):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskmgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1,00 hex

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoClose
1,00 hex

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoLogOff
1,00 hex

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDrives
3ffffff

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDesktop
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSaveSettings
0,00 hex

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoViewContextMenu
1,00 hex

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoTrayContextMenu
1,00 hex

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
RestrictRun
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSetFolders
f4240

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFavoritesMenu
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRecentDocsMenu
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSetTaskbar
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDesktop
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
NoDevMgrPage
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
Disabled
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
NoRealMode
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
LegalNoticeCaption
??????

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
LegalNoticeText
???????????

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
NoBrowserClose
1

W32/Attech-D may make the following changes to the <Windows>\win.ini:

[Intl]
s1159 = ??????

[Intl]
s2359 = ??????

[Intl]
sTimeFormat = HH:mm:ss:tt

[Windows]
DoubleClickSpeed = 100

[Windows]
KeyboardDelay = 9

[Windows]
MouseSpeed = 0

[Windows]
SwapMouseButtons = 1

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Attech-D

Summary

Action

More Information