ENSRT Incident Note ETS-i-2004-12512
The Enterasys Networks Security Response Team (ENSRT) publishes incident notes to provide information for our constituents to raise awareness of issues deemed threatening to the security and integrity of our customers.
Worm - W32.Atak.F@mm
Release Date: 12/16/2004
Last Updated:
Overview
The W32.Atak.F@mm mass mailer worm infects network PCs through an e-mail's attached executable and then attempts further proliferation with an imbedded SMTP mail engine.
Email-Worm.Win32.Atak.h [Kaspersky], W32/Atak.i@MM [McAfee]
Systems affected
Windows operating systemsSystems not affected
Linux and MAC/OSXDescription
The W32.Atak.F@mm worm arrives in the user mailbox with a ZIP file attachment containing one of the following names: "bat.zip", "com.zip", "scr.zip", or "pif.zip". Contained within the ZIP file is an executable copy of the worm with a filetype of ".bat", ".com", ".scr", or ".pif". If the attachment is unzipped and the imbedded worm is executed by the user, the worm installs itself into the Windows system folder on the newly infected machine as well as adds registry values to load the virus on system bootup.
The last action the W32.Atak.E@mm takes is to collect email addresses from files on the infected PC with the following filetypes:
.log
.html
.msg
.eml
.mht
.dbx
.asp
.php
.jsp
.htm
.txt
Once the addresses have been harvested, the worm attempts to proliferate itself further with an imbedded SMTP engine sending copies of itself to the collected addresses.
The characteristics of the email include a "From:" address randomly taken from the pool of collected addresses and a "Subject:" line being one of the following:
Merry X-Mas!
Happy New Year
And an e-mail body containing one of the following two lines:
Mery Chrismas & Happy New Year! 2005 will be the beginning!
Happy New year and wish you good luck on next year!
Threat Assessment
Mass-mailing worms if not addressed through prudent remediation steps may congest mail servers and/or degrade network performance. Mass-mailing worms may impact individual system performance and compromise security settings allowing unauthorized remote access to the compromised host.
Remediation
| Matrix N7 | X |
| Matrix E7 | X |
| Matrix E6 | X |
| Matrix E5 | X |
| Matrix E1 | X |
| VH | X |
Detection
Updated IDS signatures can be downloaded here: https://dragon.enterasys.com (requires login)
Prevention
Trusted End System solutions are capable of monitoring various end system activity. TES is able to take immediate action such as firewalling specific IPs, TCP/UDP ports, applications, or placing the user into a Quarantine policy or VLAN until end system threat is mitigated. Learn more at: http://www.enterasys.com/solutions/secure-networks/trusted_end_system/
Containment
Using Enterasys Policy Manager, enforce a policy that allows SMTP traffic from end user PCs to authorized SMTP mail servers and blocks SMTP traffic to unauthorized end users or unknown Internet systems. If the SMTP protocol is not implemented for end users within the enterprise, consider implementing a policy blocking SMTP traffic from end user ports.
Repair
Monitor SMTP mail server logs to locate infected users sending multiple copies of the worm e-mail matching the previously defined subject and body. Once isolated, see your anti-virus vendor for Windows repair procedures for infected users.
References
http://www.iana.org/assignments/port-numbers
http://securityresponse.symantec.com/avcenter/venc/data/w32.atak.f@mm.html
This document and the information contained herein are intended solely for informational use. Enterasys Networks, Inc. makes no representations or warranties of any kind, whether expressed or implied, with respect to this information and assumes no responsibility for its accuracy or completeness. Enterasys Networks, Inc. hereby disclaims all liability and warranty for any information contained herein and all the material and information herein exists to be used only on an "as is" basis. More specific information may be available on request. By your review and/or use of the information contained herein, you expressly release Enterasys from any and all liability related in any way to this information.
A copy of the text of this section is an uncontrolled copy, and may lack important information or contain factual errors. All information herein is Copyright ©Enterasys Networks, Inc. All rights reserved. All information above is subject to change without notice.
Revision History:
|
Version: 1.0 |
Date: 12/16/2004 |
Author: ENSRT STAFF |
Change |