Win32:Gatina-B

Win32:Gatina-B is a mass mailing worm which can disable some system functions and can block some security related applications.

Summary
Type Worm
Aliases Worm/Pintae.A, W32.Pintae.A@mm, W32/Sillyworm.WI,
W32/Namuki, W32/Vanneo.B.worm
VPS version February 12, 2007 (0712-7)
Platform Windows
File size 40,960 bytes

Description

When Win32:Gatina-B is launched, it copies itself into following files:

  • %USERPROFILE%\Start Menu\Programs\Startup\MSKernell.bat
  • %SYSTEM%\AutoRun.bat
  • %WINDOWS%\Exit to DosPrompt.pif
  • %WINDOWS%\Mails\DATA.DOC.exe
  • %WINDOWS%\Mails\DOCUMENT.DOC.exe
  • %WINDOWS%\Mails\INFO.DOC.exe
  • %WINDOWS%\Mails\README.DOC.exe
  • %WINDOWS%\Mails\TAETAE.TXT.exe

Win32:Gatina-B then writes new registry entries to make sure it is launched every time Windows starts: 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NOYPI_KANG_ASTI = "%WINDOWS%\Exit to DosPrompt.pif"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taetae = "%WINDOWS%\Exit to DosPrompt.pif"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\TANG_INA_MO = "%SYSTEM%\AutoRun.bat"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\taengtae = "%SYSTEM%\AutoRun.bat"

Win32:Gatina-B changes some other registry entries to disable system related functions, mainly administration tools: 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions NoFindFiles = "1"

Win32:Gatina-B  is a mass mailing worm. It sends itself as an infected attachment to email addresses found in Windows Address Book. The following characteristics describe how an infected email can look like:

  1. From (one of the following)
    • astig@hotmail.com
    • noypi@pinoy.com
    • Tae@Tae.com
    • vaNNeo@viruz.com
    • victim@victim.com
    • viruz@yahoo.com
    • lady_juana_cute@hotmail.com
  2. Subject (one of the following):
    • CDO.Message
    • FILIPINO'S SECRETS
    • My Documents
    • My Victim
    • New Virus Information
    • Philippines Government Top Secret
    • TaeTae Virus Information
  3. Message body (one of the following):
    • Hi! Look the Attach Document for more details about FILIPINOS...
    • HOY! PINOY AKO! BUO AKING LOOB MAY AGIMAT AKO... FOR MORE LYRICS CHECK THE ATTACH FILE...
    • If your computer has been infected by TaeTae Virus. Open the attach file and follow the instruction to remove the virus...
    • LYRICS OF BAMBOO AND OTHER BOY BAND
    • Please read the attach file for more information about computer virus...
    • The Government of the Philippines revealed the truth. For more information please read the Attach file...
  4. Attachment filename (one of the following):
    • DATA.DOC.exe
    • DOCUMENT.DOC.exe
    • INFO.DOC.exe
    • README.DOC.exe
    • TAETAE.TXT.exe

Win32:Gatina-B kills and blocks some applications/processes/windows from the following list. These applications are security related applications and system administration applications/windows. 

  • Norton
  • AVP Monitor
  • Sygate Personal Firewall Pro
  • BitDefender
  • NOD32 Antivirus Program - [My Profile]
  • NOD32 Control Center
  • eTrust Antivirus - Local Scanner
  • F-Secure Anti-Virus
  • My Computer
  • Registry Monitor
  • Kaspersky Anti-Virus Monitor
  • HijackThis
  • Anti-Virus
  • BlackICE
  • Process Explorer - Sysinternals: www.sysinternals.com
  • Registry Monitor - Sysinternals: www.sysinternals.com
  • Norton AntiVirus Porfessional
  • Windows Security Center
  • Windows Firewall
  • Control Panel
  • Run"Turn Off Computer
  • Log off Windows
  • Command Prompt
  • Kaspersky Anti-Virus personal
  • AVG E-Mail Server Edition - Advanced Interface
  • AVG E-mail Server Edition - Basic Interface
  • AVG E-mail Server Edition - Control Centerr
  • Pop3trap
  • Ad-Aware SE Personal
  • Spybot - Search & Destroy
  • Sophos Anti-Virus - SWEEP
  • Anti-Trojan - Infection Monitor
  • Norton AntiVirus
  • Registry Editor
  • Windows Task Manager
  • System Configuration Utility
  • Services
  • AntiViral Toolkit Pro
  • Kaspersky Anti-Virus Scanner
  • Ad-aware 6.0 Personal
  • System Restore
  • WinPatrol

 

    Comment:
  • %WINDOWS% refers ro Windows instalation folder, by default it is:
    • C:\Windows (Windows 95, 98, Me, XP)
    • C:\Winnt (Windows NT, 2000)
  • %SYSTEM% refers to Windows system folder, by default it is:
    • C:\Windows\System (Windows 95, 98, Me)
    • C:\Winnt\system32 (Windows NT, 2000)
    • C:\Windows\System32 (Windows XP)
  • %USERPROFILE% refers to actual user profile, by default it is C:\Document and Settings\[Actual User] (it may differ - depends on the particular language)

Detection/Removal

avast! with VPS file 0712-7 or newer, dated on or after 12. of February 2007, is capable to detect and clean this worm.

Viruses
Viruses in the Wild Virus Database History Summary of Virus Reports Eicar Test File
Subscription Services
VPS Subscription Service
avast! Home Registration
avast! 4 Home for free non-commercial use free - link to registration page
Home pageWeb site mapPrint this pagePrivacy policy
Copyright © 1988 - 2009 ALWIL Software a.s.
Home page
Viruses  windows viruses  Win32:Gatina-B