Win32/Gataka [Threat Name] go to Threat

Win32/Gataka.B [Threat Variant Name]

Category trojan
Size 204800 B
Detection created May 08, 2012
Detection database version 7120
Aliases Trojan-Dropper.Win32.Injector.fbjt (Kaspersky)
  Trojan:Win32/Gataka.D (Microsoft)
  BackDoor.Hermes.158 (Dr.Web)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­%variable1%\­{%variableguid1%}\­%variable2%.exe

The trojan creates the following files:

  • %appdata%\­%variable3%\­{%variableguid2%}\­%variableguid3%.dat

The %variable1-3% is one of the following strings:

  • Adobe
  • Apple
  • Dropbox
  • Google
  • Google Inc.
  • ICQ
  • Identities
  • LicenseValidator
  • Macromedia
  • Media Center Program
  • Media Player Classic
  • Microsoft
  • Microsoft Corporation
  • Mozilla
  • NtCoreDefender
  • NtGarbageCollector
  • Opera
  • RdcRpcController
  • RpcLowAccessPipe
  • RpcLowReader
  • RpcNtComm
  • RpcSearchIndexer
  • RpcSchedule
  • RpcWin32Router
  • RpcWin32Service
  • renovator
  • SearchHelper
  • Skype
  • Sun
  • TeamViewer
  • Upgrade
  • UpgradeHelper
  • UpgradeChecker
  • Validator
  • vlc
  • Win16Communicator
  • Win32Defender
  • Win32GlobalFinder
  • Win32RpcAccessCtrl
  • Win32RpcDecrypt
  • Win32Scheduler
  • Win32UserFinder
  • Win64Expected
  • Win64GarbageCollector
  • Windows Desktop Search
  • Windows Search
  • WindowsRpcAccess
  • WinRAR

The %variableguid1-3% represents a random number.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "%appdata%\­%variable1%\­{%variableguid1%}\­%variable2%.exe"

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "StartCurrId" = "%variable4%"
    • "StartCurrMask" = "%variable5%"
    • "StartMainId" = "%variable6%"
    • "StartMainMask" = "%variable7%"
    • "PersistFile" = "%variable8%"
    • "PersistFolder" = "%variable9%"
    • "StartProcIrq" = "%variable10%"
    • "StartMenuMask" = "%variable11%"
    • "StartUrlId" = "%variable12%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­StartPage]
    • "ReserveProgram" = %hexvalue%

A string with variable content is used instead of %variable4-12% .


The trojan creates and runs a new thread with its own program code in all running processes.


After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send files to a remote computer
  • set up a proxy server
  • monitor network traffic
  • modify network traffic
  • modify website content
  • open a specific URL address
  • send gathered information

The trojan hooks the following Windows APIs:

  • CreateProcessA (kernel32.dll)
  • CreateProcessW (kernel32.dll)
  • CreateProcessAsUserA (advapi32.dll)
  • CreateProcessAsUserW (advapi32.dll)

The trojan executes the following files:

  • "%programfiles%\­Internet Explorer\­iexplore.exe" about:blank

Please enable Javascript to ensure correct displaying of this content and refresh this page.