Personal tools
You are here: Home News Latest threats Win32:Gatina-B
Navigation
Log in


Forgot your password?
 
Document Actions

Win32:Gatina-B

Win32:Gatina-B is a mass mailing worm which can disable some system functions and can block some security related applications

Summary
Type Worm
Aliases Worm/Pintae.A, W32.Pintae.A@mm, W32/Sillyworm.WI,
W32/Namuki, W32/Vanneo.B.worm
VPS version February 12, 2007 (0712-7)
Platform Windows
File size 40,960 bytes

Description

When Win32:Gatina-B is launched, it copies itself into following files:

  • %USERPROFILE%\Start Menu\Programs\Startup\MSKernell.bat
  • %SYSTEM%\AutoRun.bat
  • %WINDOWS%\Exit to DosPrompt.pif
  • %WINDOWS%\Mails\DATA.DOC.exe
  • %WINDOWS%\Mails\DOCUMENT.DOC.exe
  • %WINDOWS%\Mails\INFO.DOC.exe
  • %WINDOWS%\Mails\README.DOC.exe
  • %WINDOWS%\Mails\TAETAE.TXT.exe

Win32:Gatina-B then writes new registry entries to make sure it is launched every time Windows starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NOYPI_KANG_ASTI = "%WINDOWS%\Exit to DosPrompt.pif"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taetae = "%WINDOWS%\Exit to DosPrompt.pif"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\TANG_INA_MO = "%SYSTEM%\AutoRun.bat"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\taengtae = "%SYSTEM%\AutoRun.bat"

Win32:Gatina-B changes some other registry entries to disable system related functions, mainly administration tools:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions NoFindFiles = "1"

Win32:Gatina-B  is a mass mailing worm. It sends itself as an infected attachment to email addresses found in Windows Address Book. The following characteristics describe how an infected email can look like:

  1. From (one of the following)
    • astig@hotmail.com
    • noypi@pinoy.com
    • Tae@Tae.com
    • vaNNeo@viruz.com
    • victim@victim.com
    • viruz@yahoo.com
    • lady_juana_cute@hotmail.com
  2. Subject (one of the following):
    • CDO.Message
    • FILIPINO'S SECRETS
    • My Documents
    • My Victim
    • New Virus Information
    • Philippines Government Top Secret
    • TaeTae Virus Information
  3. Message body (one of the following):
    • Hi! Look the Attach Document for more details about FILIPINOS...
    • HOY! PINOY AKO! BUO AKING LOOB MAY AGIMAT AKO... FOR MORE LYRICS CHECK THE ATTACH FILE...
    • If your computer has been infected by TaeTae Virus. Open the attach file and follow the instruction to remove the virus...
    • LYRICS OF BAMBOO AND OTHER BOY BAND
    • Please read the attach file for more information about computer virus...
    • The Government of the Philippines revealed the truth. For more information please read the Attach file...
  4. Attachment filename (one of the following):
    • DATA.DOC.exe
    • DOCUMENT.DOC.exe
    • INFO.DOC.exe
    • README.DOC.exe
    • TAETAE.TXT.exe

Win32:Gatina-B kills and blocks some applications/processes/windows from the following list. These applications are security related applications and system administration applications/windows.

  • Norton
  • AVP Monitor
  • Sygate Personal Firewall Pro
  • BitDefender
  • NOD32 Antivirus Program - [My Profile]
  • NOD32 Control Center
  • eTrust Antivirus - Local Scanner
  • F-Secure Anti-Virus
  • My Computer
  • Registry Monitor
  • Kaspersky Anti-Virus Monitor
  • HijackThis
  • Anti-Virus
  • BlackICE
  • Process Explorer - Sysinternals: www.sysinternals.com
  • Registry Monitor - Sysinternals: www.sysinternals.com
  • Norton AntiVirus Porfessional
  • Windows Security Center
  • Windows Firewall
  • Control Panel
  • Run"Turn Off Computer
  • Log off Windows
  • Command Prompt
  • Kaspersky Anti-Virus personal
  • AVG E-Mail Server Edition - Advanced Interface
  • AVG E-mail Server Edition - Basic Interface
  • AVG E-mail Server Edition - Control Centerr
  • Pop3trap
  • Ad-Aware SE Personal
  • Spybot - Search & Destroy
  • Sophos Anti-Virus - SWEEP
  • Anti-Trojan - Infection Monitor
  • Norton AntiVirus
  • Registry Editor
  • Windows Task Manager
  • System Configuration Utility
  • Services
  • AntiViral Toolkit Pro
  • Kaspersky Anti-Virus Scanner
  • Ad-aware 6.0 Personal
  • System Restore
  • WinPatrol

    Comment:
  • %WINDOWS% refers ro Windows instalation folder, by default it is:
    • C:\Windows (Windows 95, 98, Me, XP)
    • C:\Winnt (Windows NT, 2000)
  • %SYSTEM% refers to Windows system folder, by default it is:
    • C:\Windows\System (Windows 95, 98, Me)
    • C:\Winnt\system32 (Windows NT, 2000)
    • C:\Windows\System32 (Windows XP)
  • %USERPROFILE% refers to actual user profile, by default it is C:\Document and Settings\[Actual User] (it may differ - depends on the particular language)

Detection/Removal

avast! with VPS file 0712-7 or newer, dated on or after 12. of February 2007, is capable to detect and clean this worm.
« September 2010 »
Su Mo Tu We Th Fr Sa
1234
567891011
12131415161718
19202122232425
2627282930
 
Powered by Plone CMS, the Open Source Content Management System

This site conforms to the following standards: