[virusinfo] W32/Gatina-A

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Thu, 30 Jun 2005 09:34:54 -0700

From; Sophos Alert System:

Name: W32/Gatina-A
Aliases: Email-Worm.Win32.Gatina.a, W32/Namuki, W32.Filukin.A@mm
Type: Win32 worm
Date: 30 June 2005

Sophos has issued protection for W32/Gatina-A.

At the time of writing, Sophos has received no reports from
users affected by this worm. However, we have issued this
advisory following enquiries to our support department from
customers.

Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.


Information about W32/Gatina-A can be found at:
http://www.sophos.com/virusinfo/analyses/w32gatinaa.html

W32/Gatina-A is an email and network worm. 
The emails sent by the worm have forged "From:" addresses and the following 
characteristics: 
Subject line: 
FILIPINO'S SECRETS 
LYRICS OF BAMBOO AND OTHER BOY BAND 
Philippines Government Top Secret 
New Virus Information 
Ukinnam Virus Information 
Message text: 
Hi! Look the Attach Document for more details about FILIPINOS... 
HOY! PINOY AKO! BUO AKING LOOB MAY AGIMAT AKO... FOR MORE LYRICS CHECK THE 
ATTACH FILE... 
The Government of the Philippines revealed the truth. For more information 
please read the Attach file... 
Please read the attach file for more information about computer virus... 
If your computer has been infected by Ukinnam Virus. Open the attach file and 
follow the instruction to remove the virus.. 
Attached file: 
README.DOC.exe
INFO.DOC.exe
TAETAE.TXT.exe
DATA.DOC.exe 
W32/Gatina-A collects email addresses from files whose extension is HTT, HTM, 
HTML, HTA, HTE, HTX, SHTML, STM, ASP, XML, DOC, RTF, TXT, DBX, PHP, PHP3, 
PTHML, JSP, SQL, EML, INI, TBB or TBI. 
When first run W32/Gatina-A copies itself to: 
<Startup>\MSKernell.bat
<Windows>\Exit to DosPrompt.pif
<System>\AutoRun.bat 
The following registry entries are created to run Exit to DosPrompt.pif and 
AutoRun.bat on startup: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NOYPI_KANG_ASTIG
<Windows>\Exit to DosPrompt.pif 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TANG_INA_MO
<System>\AutoRun.bat 
W32/Gatina-A closes applications whose title matches any of the following: 
Ad-aware 6.0 Personal
Ad-Aware SE Personal
Anti-Trojan - Infection Monitor
Anti-Virus
AntiViral Toolkit Pro
AVG E-Mail Server Edition - Advanced Interface
AVG E-Mail Server Edition - Basic Interface
AVG E-Mail Server Edition - Control Centerr
AVP
AVP Monitor
BitDefender
BitDefender Sheild
BlackICE
Command Prompt
Control Panel
eTrust Antivirus - Local Scanner
F-Secure Anti-Virus
HijackThis
Kaspersky Anti-Virus Monitor
Kaspersky Anti-Virus personal
Kaspersky Anti-Virus Scanner
My Computer
My Documents
NOD32 Antivirus Program - [My Profile]
NOD32 Control Center
Norton
Norton Antivirus
Norton AntiVirus Porfessional
Pop3trap
Process Explorer - Sysinternals: www.sysinternals.com
Registry Editor
Registry Monitor
Registry Monitor - Sysinternals: www.sysinternals.com
Services
Sophos Anti-Virus - SWEEP
Spybot - Search & Destroy
Sygate Personal Firewall Pro
System Configuration Utility
System Restore
Windows Firewall
Windows Security Center
Windows Task Manager
WinPatrol 
W32/Gatina-A also attempts to spread to other network computers via network 
shares as a file named README.EXE. 

The W32/Gatina-A virus identity file (IDE) includes detection for:


Troj/ServU-AZ
http://www.sophos.com/virusinfo/analyses/trojservuaz.html
Troj/Dloader-PO
http://www.sophos.com/virusinfo/analyses/trojdloaderpo.html
W32/Sdbot-ZW
http://www.sophos.com/virusinfo/analyses/w32sdbotzw.html
Troj/Lineage-V
http://www.sophos.com/virusinfo/analyses/trojlineagev.html
W32/ParaDrop-A
http://www.sophos.com/virusinfo/analyses/w32paradropa.html
Troj/Multidr-DR
http://www.sophos.com/virusinfo/analyses/trojmultidrdr.html
W32/Kelvir-BR
http://www.sophos.com/virusinfo/analyses/w32kelvirbr.html
Troj/QQRob-E
http://www.sophos.com/virusinfo/analyses/trojqqrobe.html
Troj/LdPinch-BF
http://www.sophos.com/virusinfo/analyses/trojldpinchbf.html
Troj/Progent-A
http://www.sophos.com/virusinfo/analyses/trojprogenta.html

Customers with 3.xx or lower versions of Sophos Anti-Virus, 
who are not running EM Library, can manually download the IDE
for W32/Gatina-A from:

http://www.sophos.com/downloads/ide/gatina-a.ide

Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Gatina-A

1. Home
2. virusinfo
3. Archive
4. 06-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---