W32/Gatina-B

Please follow the instructions for removing worms.

W32/Gatina-B is an email and network worm.

W32/Gatina-B is an email and network worm.

The emails sent by the worm have forged "From:" addresses and the following characteristics:

Subject line:

  "FILIPINO'S SECRETS"

  "LYRICS OF BAMBOO AND OTHER BOY BAND"

  "Philippines Government Top Secret"

  "New Virus Information"

  "Ukinnam Virus Information"

Message text:

  "Hi! Look the Attach Document for more details about FILIPINOS..."

  "HOY! PINOY AKO! BUO AKING LOOB MAY AGIMAT AKO... FOR MORE LYRICS CHECK THE ATTACH FILE..."

  "The Government of the Philippines revealed the truth. For more information please read the Attach file..."

  "Please read the attach file for more information about computer virus..."

  "If your computer has been infected by Ukinnam Virus. Open the attach file and follow the instruction to remove the virus..."

Attached file:

  README.DOC.exe

  INFO.DOC.exe

  TAETAE.TXT.exe

  DATA.DOC.exe

W32/Gatina-B collects email addresses from files whose extension is HTT, HTM, HTML, HTA, HTE, HTX, SHTML, STM, ASP, XML, DOC, RTF, TXT, DBX, PHP, PHP3, PTHML, JSP, SQL, EML, INI, TBB or TBI.

When first run W32/Gatina-B copies itself to:

Startup>\MSKernell.bat
<Windows>\Exit to DosPrompt.pif
<Windows>\Mails\DATA.DOC.exe
<Windows>\Mails\DOCUMENT.DOC.exe
<Windows>\Mails\INFO.DOC.exe
<Windows>\Mails\README.DOC.exe
<Windows>\Mails\TAETAE.TXT.exe
<System>\AutoRun.bat

The following registry entries are created to run Exit to DosPrompt.pif and AutoRun.bat on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NOYPI_KANG_ASTIG
<Windows>\Exit to DosPrompt.pif

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
taetae
<Windows>\Exit to DosPrompt.pif

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
TANG_INA_MO
<System>\AutoRun.bat

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
taengtae
<System>\AutoRun.bat

The following registry entries are set, disabling system software:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
NoFindFiles
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

W32/Gatina-B closes applications whose title matches any of the following:

  Ad-aware 6.0 Personal
  Ad-Aware SE Personal
  Anti-Trojan - Infection Monitor
  Anti-Virus
  AntiViral Toolkit Pro
  AVG E-Mail Server Edition - Advanced Interface
  AVG E-Mail Server Edition - Basic Interface
  AVG E-Mail Server Edition - Control Centerr
  AVP
  AVP Monitor
  BitDefender
  BitDefender Sheild
  BlackICE
  Command Prompt
  Control Panel
  eTrust Antivirus - Local Scanner
  F-Secure Anti-Virus
  HijackThis
  Kaspersky Anti-Virus Monitor
  Kaspersky Anti-Virus personal
  Kaspersky Anti-Virus Scanner
  My Computer
  My Documents
  NOD32 Antivirus Program
  Norton
  Norton Antivirus
  Norton AntiVirus Porfessional
  Pop3trap
  Process Explorer
  Registry Editor
  Registry Monitor
  Registry Monitor
  Services
  Sophos Anti-Virus - SWEEP
  Spybot - Search & Destroy
  Sygate Personal Firewall Pro
  System Configuration Utility
  System Restore
  Windows Firewall
  Windows Security Center
  Windows Task Manager
  WinPatrol

W32/Gatina-B also attempts to spread to other network computers via network shares as a file named README.EXE.

W32/Gatina-B attempts to periodically copy itself to removeable drives, including floppy drives and USB keys under the following names:

  AutoRun.bat
  Exit to DosPrompt.pif
  ReadMe.scr
  MSKernell.bat