Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:13/12/2012
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low
Static file:Yes
File size:11.885 Bytes
MD5 checksum:95b9fa3fe126cf8c3144ce62901d47c3
VDF version:

 General Method of propagation:
   • Email

   •  Symantec: W32.Atak.G@mm
   •  Mcafee: W32/Atak.j@MM
   •  Kaspersky: Email-Worm.Win32.Atak.i
   •  TrendMicro: WORM_ATAK.K
   •  F-Secure: W32/Atak.L@mm
   •  Sophos: W32/Atak-K
   •  Grisoft: I-Worm/Atak.J
   •  VirusBuster: I-Worm.Scroll

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP

Side effects:
   • Uses its own Email engine

 Files It copies itself to the following location:
   • %SYSDIR%\sec5dec.exe

It copies itself within an archive to the following location:
   • %TEMPDIR%\tmp%random character string%.tmp

It deletes the following file:
   • %TEMPDIR%\tmp%random character string%.tmp

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   • "run"="%SYSDIR%\sec5dec.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

The sender address is spoofed.

– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)
– Email addresses gathered from Yahoo! Messenger
– Email addresses gathered from MSN Messenger

One of the following:

– Contains HTML code.

   • Forgive me if I have make some mistake and hope much better next year!
     Happy X-Mas and New Year!

   • I would like to say Happy X-Mas if you celebrate it and Happy New Year! Be matured not childish!

The filename of the attachment is one of the following:

The email may look like one of the following:

 Mailing Search addresses:
It searches the following files for email addresses:
   • log; html; msg; eml; mht; dbx; asp; php; jsp; htm; txt

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Sergiu Oprea on Thursday, August 11, 2005
Description updated by Sergiu Oprea on Tuesday, August 30, 2005

Back . . . .