PCBugSquad

Description:

The W32.Ackantta.B@mm worm is an infection that spreads itself by copying itself to removable drives, shared folders, and by mass-mailing all of the email contacts it can find on your computer.  This infection is typically installed when a user opens up the attachment in an email that this infection sent from another machine.  The subject of these emails may be:

Job offer from Coca Cola!
Thank you for your application
You have got a new E-Card from your friend!
You have received A Hallmark E-Card!

The attachment names are:

copy of your CV.zip
e-card.zip
job-application-form.zip
postcard.zip

This attachment looks like a snowman:

If a user runs the attachment, it will open up an image that looks like a Christmas postcard.  It will then create the C:\Windows\System32\javale.exe and C:\Windows\System32\javame1.1.exe  files.  It will then create the follow registry key to start itself automatically:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”SunJava Updater v7″ = “%System%\javale.exe”

The worm will also modify the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%System%\”javale.exe” = “%System%\javale.exe:*:Enabled:Explorer”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\”javastation1.1″ = “02″

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\”ultrasparc1.1″ = “25″

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\”CheckExeSignatures” = “0×1″

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\”RunInvalidSignatures” = “no”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\”LowRiskFileTypes” = “.zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.bat;.cmd;.pif;.scr;.mov;.mp3;.wav”

The worm then connects to the the http://whatismyip.com/automation/n09230945.asp url in order to determine its IP address.  It will then connect to another url to potentially download more malware such as Vundo.

Manual Removal Instructions for W32.Ackantta.B@mm

End these processes if they exist:
Learn how to end processes

javale.exe
javame1.1.exe

Delete these files if they exist:
Lean how to remove files

C:\Windows\System32\javale.exe
C:\Windows\System32\javame1.1.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”SunJava Updater v7″

This entry was posted on Saturday, February 28th, 2009 at 4:48 pm and is filed under Malware Removal Guide, Worms. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.