About Win32: Gatina-B

**ronninalpha** · 03-14-2007, 06:06 PM

wa lang, post lang ko kay nalingaw ko sa gihimo sa usa nako ka friend...

according to http://avast.com/eng/win32-gatina-b.html
Win32:Gatina-B

Win32:Gatina-B is a mass mailing worm which can disable some system functions and can block some security related applications.
Summary
Type Worm
Aliases Worm/Pintae.A, W32.Pintae.A@mm, W32/Sillyworm.WI,
W32/Namuki, W32/Vanneo.B.worm
VPS version February 12, 2006 (0712-7)
Platform Windows
File size 40,960 bytes
Description

When Win32:Gatina-B is launched, it copies itself into following files:

* %USERPROFILE%\Start Menu\Programs\Startup\MSKernell.bat
* %SYSTEM%\AutoRun.bat
* %WINDOWS%\Exit to DosPrompt.pif
* %WINDOWS%\Mails\DATA.DOC.exe
* %WINDOWS%\Mails\DOCUMENT.DOC.exe
* %WINDOWS%\Mails\INFO.DOC.exe
* %WINDOWS%\Mails\README.DOC.exe
* %WINDOWS%\Mails\TAETAE.TXT.exe

Win32:Gatina-B then writes new registry entries to make sure it is launched every time Windows starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\NOYPI_KANG_ASTI = "%WINDOWS%\Exit to DosPrompt.pif"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\taetae = "%WINDOWS%\Exit to DosPrompt.pif"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices\TANG_INA_MO = "%SYSTEM%\AutoRun.bat"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices\taengtae = "%SYSTEM%\AutoRun.bat"

Win32:Gatina-B changes some other registry entries to disable system related functions, mainly administration tools:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System\DisableTaskMgr = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System\DisableRegistryTools = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer\NoFolderOptions = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer\NoFind = "1"

HKEY_CURRENT_USER\Software\Policies\Microsoft\Inte rnet Explorer\Restrictions NoFindFiles = "1"

Win32:Gatina-B is a mass mailing worm. It sends itself as an infected attachment to email addresses found in Windows Address Book. The following characteristics describe how an infected email can look like:

1. From (one of the following)
* astig@hotmail.com
* noypi@pinoy.com
* Tae@Tae.com
* vaNNeo@viruz.com
* victim@victim.com
* viruz@yahoo.com
* lady_juana_cute@hotmail.com
2. Subject (one of the following):
* CDO.Message
* FILIPINO'S SECRETS
* My Documents
* My Victim
* New Virus Information
* Philippines Government Top Secret
* TaeTae Virus Information
3. Message body (one of the following):
* Hi! Look the Attach Document for more details about FILIPINOS...
* HOY! PINOY AKO! BUO AKING LOOB MAY AGIMAT AKO... FOR MORE LYRICS CHECK THE ATTACH FILE...
* If your computer has been infected by TaeTae Virus. Open the attach file and follow the instruction to remove the virus...
* LYRICS OF BAMBOO AND OTHER BOY BAND
* Please read the attach file for more information about computer virus...
* The Government of the Philippines revealed the truth. For more information please read the Attach file...
4. Attachment filename (one of the following):
* DATA.DOC.exe
* DOCUMENT.DOC.exe
* INFO.DOC.exe
* README.DOC.exe
* TAETAE.TXT.exe

Win32:Gatina-B kills and blocks some applications/processes/windows from the following list. These applications are security related applications and system administration applications/windows.

* Norton
* AVP Monitor
* Sygate Personal Firewall Pro
* BitDefender
* NOD32 Antivirus Program - [My Profile]
* NOD32 Control Center
* eTrust Antivirus - Local Scanner
* F-Secure Anti-Virus
* My Computer
* Registry Monitor
* Kaspersky Anti-Virus Monitor
* HijackThis
* Anti-Virus
* BlackICE
* Process Explorer - Sysinternals: www.sysinternals.com
* Registry Monitor - Sysinternals: www.sysinternals.com
* Norton AntiVirus Porfessional
* Windows Security Center
* Windows Firewall
* Control Panel
* Run"Turn Off Computer
* Log off Windows
* Command Prompt
* Kaspersky Anti-Virus personal
* AVG E-Mail Server Edition - Advanced Interface
* AVG E-mail Server Edition - Basic Interface
* AVG E-mail Server Edition - Control Centerr
* Pop3trap
* Ad-Aware SE Personal
* Spybot - Search & Destroy
* Sophos Anti-Virus - SWEEP
* Anti-Trojan - Infection Monitor
* Norton AntiVirus
* Registry Editor
* Windows Task Manager
* System Configuration Utility
* Services
* AntiViral Toolkit Pro
* Kaspersky Anti-Virus Scanner
* Ad-aware 6.0 Personal
* System Restore
* WinPatrol

* Comment: %WINDOWS% refers ro Windows instalation folder, by default it is:
o C:\Windows (Windows 95, 98, Me, XP)
o C:\Winnt (Windows NT, 2000)
* %SYSTEM% refers to Windows system folder, by default it is:
o C:\Windows\System (Windows 95, 98, Me)
o C:\Winnt\system32 (Windows NT, 2000)
o C:\Windows\System32 (Windows XP)
* %USERPROFILE% refers to actual user profile, by default it is C:\Document and Settings\[Actual User] (it may differ - depends on the particular language)

Thread: About Win32: Gatina-B

Thread Tools

Search Thread

About Win32: Gatina-B

Similar Threads

MERGED: All About Shoes

Merged: All About Ukay-Ukay

MERGED : All about "cool off"

MERGED The "EX-" Factor: All About being an Ex-, Dealing with Ex-'s

What can you say about White House Grill?

Posting Permissions

about us

follow us