Win32/Gataka [Threat Name] go to Threat

Win32/Gataka.A [Threat Variant Name]

Category trojan
Size 326144 B
Detection created Feb 09, 2012
Detection database version 6873
Aliases Trojan.Win32.Agentb.gc (Kaspersky)
  Trojan:Win32.Gataka.A (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­%variable1%\­{%variableguid1%}\­%variable2%.exe (326144 B)

The trojan creates the following files:

  • %appdata%\­%variable3%\­{%variableguid2%}\­%variableguid3%.dat (326144 B)

The %variable1-3% is one of the following strings:

  • Adobe
  • Apple
  • Dropbox
  • Google
  • Google Inc.
  • ICQ
  • Identities
  • LicenseValidator
  • Macromedia
  • Media Center Program
  • Media Player Classic
  • Microsoft
  • Microsoft Corporation
  • Mozilla
  • NtCoreDefender
  • NtGarbageCollector
  • Opera
  • RdcRpcController
  • RpcLowAccessPipe
  • RpcLowReader
  • RpcNtComm
  • RpcSearchIndexer
  • RpcSchedule
  • RpcWin32Router
  • RpcWin32Service
  • renovator
  • SearchHelper
  • Skype
  • Sun
  • TeamViewer
  • Upgrade
  • UpgradeHelper
  • UpgradeChecker
  • Validator
  • vlc
  • Win16Communicator
  • Win32Defender
  • Win32GlobalFinder
  • Win32RpcAccessCtrl
  • Win32RpcDecrypt
  • Win32Scheduler
  • Win32UserFinder
  • Win64Expected
  • Win64GarbageCollector
  • Windows Desktop Search
  • Windows Search
  • WindowsRpcAccess
  • WinRAR

The %variableguid1-3% represents a random number.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "%appdata%\­%variable1%\­{%variableguid1%}\­%variable2%.exe"

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "StartCurrId" = "%variable4%"
    • "StartCurrMask" = "%variable5%"
    • "StartMainId" = "%variable6%"
    • "StartMainMask" = "%variable7%"
    • "PersistFile" = "%variable8%"
    • "PersistFolder" = "%variable9%"
    • "StartProcIrq" = "%variable10%"
    • "StartMenuMask" = "%variable11%"
    • "StartUrlId" = "%variable12%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­StartPage]
    • "ReserveProgram" = %hexvalue%

A string with variable content is used instead of %variable4-12% .


The trojan creates and runs a new thread with its own program code in all running processes.

Information stealing

The trojan collects the following information:

  • information about the operating system and system settings
  • file(s) content
  • antivirus software detected on the affected machine
  • installed firewall application

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (3) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send files to a remote computer
  • open a specific URL address
  • send gathered information

The trojan hooks the following Windows APIs:

  • CreateProcessA (kernel32.dll)
  • CreateProcessW (kernel32.dll)
  • CreateProcessAsUserA (advapi32.dll)
  • CreateProcessAsUserW (advapi32.dll)

The trojan executes the following files:

  • "%programfiles%\­Internet Explorer\­iexplore.exe" about:blank

Please enable Javascript to ensure correct displaying of this content and refresh this page.