W32/Gatina-A

Aliases	Email-Worm.Win32.Gatina.a W32/Namuki W32.Filukin.A@mm
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email attachments Network shares
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	30 June 2005 06:37:10 (GMT)
Detected by	All Sophos products

Sophos beta program
Register now for our latest beta tests

Endpoint Security and Control 9.0
Small business solutions 4.0

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\
CurrentVersion\Run\

and remove any reference to any file you deleted.

Close the registry editor.

More Information

Summary
Action
More Information

W32/Gatina-A is an email and network worm.

The emails sent by the worm have forged "From:" addresses and the following characteristics:

Subject line:

FILIPINO'S SECRETS

LYRICS OF BAMBOO AND OTHER BOY BAND

Philippines Government Top Secret

New Virus Information

Ukinnam Virus Information

Message text:

Hi! Look the Attach Document for more details about FILIPINOS...

HOY! PINOY AKO! BUO AKING LOOB MAY AGIMAT AKO... FOR MORE LYRICS CHECK THE ATTACH FILE...

The Government of the Philippines revealed the truth. For more information please read the Attach file...

Please read the attach file for more information about computer virus...

If your computer has been infected by Ukinnam Virus. Open the attach file and follow the instruction to remove the virus..

Attached file:

README.DOC.exe
INFO.DOC.exe
TAETAE.TXT.exe
DATA.DOC.exe W32/Gatina-A is an email and network worm.

The emails sent by the worm have forged "From:" addresses and the following characteristics:

Subject line:

FILIPINO'S SECRETS

LYRICS OF BAMBOO AND OTHER BOY BAND

Philippines Government Top Secret

New Virus Information

Ukinnam Virus Information

Message text:

Hi! Look the Attach Document for more details about FILIPINOS...

HOY! PINOY AKO! BUO AKING LOOB MAY AGIMAT AKO... FOR MORE LYRICS CHECK THE ATTACH FILE...

The Government of the Philippines revealed the truth. For more information please read the Attach file...

Please read the attach file for more information about computer virus...

If your computer has been infected by Ukinnam Virus. Open the attach file and follow the instruction to remove the virus..

Attached file:

README.DOC.exe
INFO.DOC.exe
TAETAE.TXT.exe
DATA.DOC.exe

W32/Gatina-A collects email addresses from files whose extension is HTT, HTM, HTML, HTA, HTE, HTX, SHTML, STM, ASP, XML, DOC, RTF, TXT, DBX, PHP, PHP3, PTHML, JSP, SQL, EML, INI, TBB or TBI.

When first run W32/Gatina-A copies itself to:

<Startup>\MSKernell.bat
<Windows>\Exit to DosPrompt.pif
<System>\AutoRun.bat

The following registry entries are created to run Exit to DosPrompt.pif and AutoRun.bat on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NOYPI_KANG_ASTIG
<Windows>\Exit to DosPrompt.pif

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TANG_INA_MO
<System>\AutoRun.bat

W32/Gatina-A closes applications whose title matches any of the following:

Ad-aware 6.0 Personal
Ad-Aware SE Personal
Anti-Trojan - Infection Monitor
Anti-Virus
AntiViral Toolkit Pro
AVG E-Mail Server Edition - Advanced Interface
AVG E-Mail Server Edition - Basic Interface
AVG E-Mail Server Edition - Control Centerr
AVP
AVP Monitor
BitDefender
BitDefender Sheild
BlackICE
Command Prompt
Control Panel
eTrust Antivirus - Local Scanner
F-Secure Anti-Virus
HijackThis
Kaspersky Anti-Virus Monitor
Kaspersky Anti-Virus personal
Kaspersky Anti-Virus Scanner
My Computer
My Documents
NOD32 Antivirus Program - [My Profile]
NOD32 Control Center
Norton
Norton Antivirus
Norton AntiVirus Porfessional
Pop3trap
Process Explorer - Sysinternals: www.sysinternals.com
Registry Editor
Registry Monitor
Registry Monitor - Sysinternals: www.sysinternals.com
Services
Sophos Anti-Virus - SWEEP
Spybot - Search & Destroy
Sygate Personal Firewall Pro
System Configuration Utility
System Restore
Windows Firewall
Windows Security Center
Windows Task Manager
WinPatrol

W32/Gatina-A also attempts to spread to other network computers via network shares as a file named README.EXE.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Gatina-A

Summary

Action

More Information