From; Sophos Alert System: Name: W32/Gatina-A Aliases: Email-Worm.Win32.Gatina.a, W32/Namuki, W32.Filukin.A@mm Type: Win32 worm Date: 30 June 2005 Sophos has issued protection for W32/Gatina-A. At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Information about W32/Gatina-A can be found at: http://www.sophos.com/virusinfo/analyses/w32gatinaa.html W32/Gatina-A is an email and network worm. The emails sent by the worm have forged "From:" addresses and the following characteristics: Subject line: FILIPINO'S SECRETS LYRICS OF BAMBOO AND OTHER BOY BAND Philippines Government Top Secret New Virus Information Ukinnam Virus Information Message text: Hi! Look the Attach Document for more details about FILIPINOS... HOY! PINOY AKO! BUO AKING LOOB MAY AGIMAT AKO... FOR MORE LYRICS CHECK THE ATTACH FILE... The Government of the Philippines revealed the truth. For more information please read the Attach file... Please read the attach file for more information about computer virus... If your computer has been infected by Ukinnam Virus. Open the attach file and follow the instruction to remove the virus.. Attached file: README.DOC.exe INFO.DOC.exe TAETAE.TXT.exe DATA.DOC.exe W32/Gatina-A collects email addresses from files whose extension is HTT, HTM, HTML, HTA, HTE, HTX, SHTML, STM, ASP, XML, DOC, RTF, TXT, DBX, PHP, PHP3, PTHML, JSP, SQL, EML, INI, TBB or TBI. When first run W32/Gatina-A copies itself to: <Startup>\MSKernell.bat <Windows>\Exit to DosPrompt.pif <System>\AutoRun.bat The following registry entries are created to run Exit to DosPrompt.pif and AutoRun.bat on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NOYPI_KANG_ASTIG <Windows>\Exit to DosPrompt.pif HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TANG_INA_MO <System>\AutoRun.bat W32/Gatina-A closes applications whose title matches any of the following: Ad-aware 6.0 Personal Ad-Aware SE Personal Anti-Trojan - Infection Monitor Anti-Virus AntiViral Toolkit Pro AVG E-Mail Server Edition - Advanced Interface AVG E-Mail Server Edition - Basic Interface AVG E-Mail Server Edition - Control Centerr AVP AVP Monitor BitDefender BitDefender Sheild BlackICE Command Prompt Control Panel eTrust Antivirus - Local Scanner F-Secure Anti-Virus HijackThis Kaspersky Anti-Virus Monitor Kaspersky Anti-Virus personal Kaspersky Anti-Virus Scanner My Computer My Documents NOD32 Antivirus Program - [My Profile] NOD32 Control Center Norton Norton Antivirus Norton AntiVirus Porfessional Pop3trap Process Explorer - Sysinternals: www.sysinternals.com Registry Editor Registry Monitor Registry Monitor - Sysinternals: www.sysinternals.com Services Sophos Anti-Virus - SWEEP Spybot - Search & Destroy Sygate Personal Firewall Pro System Configuration Utility System Restore Windows Firewall Windows Security Center Windows Task Manager WinPatrol W32/Gatina-A also attempts to spread to other network computers via network shares as a file named README.EXE. The W32/Gatina-A virus identity file (IDE) includes detection for: Troj/ServU-AZ http://www.sophos.com/virusinfo/analyses/trojservuaz.html Troj/Dloader-PO http://www.sophos.com/virusinfo/analyses/trojdloaderpo.html W32/Sdbot-ZW http://www.sophos.com/virusinfo/analyses/w32sdbotzw.html Troj/Lineage-V http://www.sophos.com/virusinfo/analyses/trojlineagev.html W32/ParaDrop-A http://www.sophos.com/virusinfo/analyses/w32paradropa.html Troj/Multidr-DR http://www.sophos.com/virusinfo/analyses/trojmultidrdr.html W32/Kelvir-BR http://www.sophos.com/virusinfo/analyses/w32kelvirbr.html Troj/QQRob-E http://www.sophos.com/virusinfo/analyses/trojqqrobe.html Troj/LdPinch-BF http://www.sophos.com/virusinfo/analyses/trojldpinchbf.html Troj/Progent-A http://www.sophos.com/virusinfo/analyses/trojprogenta.html Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for W32/Gatina-A from: http://www.sophos.com/downloads/ide/gatina-a.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member