Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:13/12/2012
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low
Static file:Yes
File size:11.885 Bytes
MD5 checksum:95b9fa3fe126cf8c3144ce62901d47c3
VDF version:

 General Method of propagation:
   • Email

   •  Symantec: W32.Atak.G@mm
   •  Mcafee: W32/Atak.j@MM
   •  Kaspersky: Email-Worm.Win32.Atak.i
   •  TrendMicro: WORM_ATAK.K
   •  F-Secure: W32/Atak.L@mm
   •  Sophos: W32/Atak-K
   •  Grisoft: I-Worm/Atak.J
   •  VirusBuster: I-Worm.Scroll

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP

Side effects:
   • Uses its own Email engine

 Files It copies itself to the following location:
   • %SYSDIR%\sec5dec.exe

It copies itself within an archive to the following location:
   • %TEMPDIR%\tmp%random character string%.tmp

It deletes the following file:
   • %TEMPDIR%\tmp%random character string%.tmp

 Registry The following registry key is added in order to run the process after reboot:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   • "run"="%SYSDIR%\sec5dec.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

The sender address is spoofed.

– Email addresses found in specific files on the system.
 Email addresses gathered from WAB (Windows Address Book)
Email addresses gathered from Yahoo! Messenger
Email addresses gathered from MSN Messenger

One of the following:

– Contains HTML code.

   • Forgive me if I have make some mistake and hope much better next year!
     Happy X-Mas and New Year!

   • I would like to say Happy X-Mas if you celebrate it and Happy New Year! Be matured not childish!

The filename of the attachment is one of the following:

The email may look like one of the following:

 Mailing Search addresses:
It searches the following files for email addresses:
   • log; html; msg; eml; mht; dbx; asp; php; jsp; htm; txt

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Sergiu Oprea on Thursday, August 11, 2005
Description updated by Sergiu Oprea on Tuesday, August 30, 2005

Back . . . .