Win32/Gataka [Threat Name] go to Threat

Win32/Gataka.C [Threat Variant Name]

Category trojan
Size 483328 B
Detection created Sep 29, 2012
Detection database version 10881
Aliases Trojan.Win32.Yakes.bani (Kaspersky)
  Trojan:Win32/Gataka.D (Microsoft)
  Win32:Rootkit-gen (Avast)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %appdata%\­%foldername%\­{%variable1%}\­%filename%.exe

The %foldername% is one of the following strings:

  • Adobe
  • AppData
  • Apple
  • Dropbox
  • Google
  • Google Inc.
  • ICQ
  • Identities
  • Macromedia
  • Media Center Programs
  • Media Player Classic
  • Microsoft
  • Microsoft Corporation
  • Mozilla
  • Opera
  • Skype
  • Sun
  • TeamViewer
  • vlc
  • Windows Desktop Search
  • Windows Search
  • WinRAR

The %filename% is one of the following strings:

  • Upgrade
  • renovator
  • Validator
  • UpgradeHelper
  • UpgradeChecker
  • LicenseValidator

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%filename%" = "%appdata%\­%foldername%\­{%variable1%}\­%filename%.exe"

The trojan launches the following processes:

  • %windir%\­syswow64\­explorer.exe
  • %programfiles%\­Internet Explorer\­iexplore.exe

The trojan creates and runs a new thread with its own program code in all running processes.

The trojan creates the following file:

  • %appdata%\­%foldername%\­{%variable1%}\­%variable2%.dat (483328 B)

A string with variable content is used instead of %variable1-2% .

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • operating system version
  • information about the operating system and system settings
  • antivirus software detected on the affected machine
  • installed firewall application

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan serves as a backdoor. It can be controlled remotely.

The trojan contains a list of (4) URLs. The trojan generates various URL addresses. The HTTP protocol is used.

It can execute the following operations:

  • uninstall itself
  • update itself to a newer version
  • delete Registry entries
  • create Registry entries
  • download files from a remote computer and/or the Internet
  • run executable files
  • execute shell commands

The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer]
    • "Browse Folders"
    • "Browse Files"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­StartPage]
    • "CustomBarMenu"
    • "ModulesCache"
    • "AdvancedImages"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "PersistFile"
    • "PersistFolder"
    • "StartProcIrq"
    • "PackageStore"
    • "StartCurrId"
    • "StartMainId"
    • "StartCurrMask"
    • "StartMainMask"
    • "StartUrlId"

The trojan hooks the following Windows APIs:

  • CreateProcessA (kernel32.dll)
  • CreateProcessW (kernel32.dll)
  • CreateProcessAsUserA (advapi32.dll)
  • CreateProcessAsUserW (advapi32.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.