There's a new mass mailing virus in town, and it's built to make life even more difficult for anti-virus researchers.

Atak (http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1) uses a variety of tactics in its attempts to escape antivirus analysis. Its main trick is to check to see if it's being run in a debugging environment. If so, it exits to avoid detection. The ploy prevents casual perusal of the code by researchers and (potentially) rival virus writers.

A possible bug, related to the way Atak checks its activation date, prevents it from being run in a "sandbox". A sandbox is a virtual environment commonly used by AV researchers to look at the behaviour of malware in a safe place.

"I haven't seen such ruses used in a mass mailer in a long time. This piece of code is so sloppy, it's devious," said Mircea Ciubotariu, a researcher at Romanian AV firm BitDefender.

Aside from its stealth behaviour the virus is a fairly standard mass mailer. It infects Windows PCs only (natch). Atak is spreading, albeit modestly, and most AV firms rate it as a low-to-medium risk threat. ®

Related stories

MS hatches July patch batch (http://www.theregister.co.uk/2004/07/14/ms_july_patches/)
All quiet on the malware front (http://www.theregister.co.uk/2004/07/01/june_virus_chart/)
Symantec fights auto-responder menace (http://www.theregister.co.uk/2004/05/14/symantec_kills_mailer_alerts/)
Malware attacks IE users via pop-ups (http://www.theregister.co.uk/2004/06/30/ie_malware_attack/)
CERT recommends anything but IE (http://www.theregister.co.uk/2004/06/28/cert_ditch_explorer/)