Home / malwarePDF  

Trojan:Win32/Gatak


First posted on 04 December 2013.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Gatak.

Explanation :

Threat behavior

Installation

Trojan:Win32/Gatak can pose as an update to legitimate applications or arrive as part of a key generator application.

It can install a copy of itself as the following:

  • %USERPROFILE% \Application Data\advantage\Advantage.EXE
  • %USERPROFILE% \Application Data\Skype\Phone\Skype.EXE
  • %USERPROFILE% \application data\google talk\googletalk.exe


It also creates the following encrypted configuration file:

  • %USERPROFILE% \administrator\application data\microsoft\\, for example c:\documents and settings\administrator\application data\microsoft\kqda\cboiat


It modifies the following registry entries so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Sets value: "AdVantage"
With data: "%USERPROFILE%\Application Data\advantage\Advantage.EXE"

Sets value: "Skype"
With data: "%USERPROFILE%\application data\skype\phone\skype.exe" /nosplash /minimized"

Sets value: "googletalk"
With data: "%USERPROFILE%\application data\google talk\googletalk.exe /autostart"

Payload


Collects system information

Trojan:Win32/Gatak collects information about your PC and sends it to a remote server.

It does this by injecting its code into the following processes:

  • explorer.exe
  • winlogon.exe
  • svchost.exe


We have seen it connect to the following remote servers:

  • 188.72.227.35
  • 91.211.119.189


Trojan:Win32/Gatak can also download updates for itself to try and avoid detection and removal.



Analysis by Marianne Mallen

Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:

    %USERPROFILE%\Application Data\advantage\Advantage.EXE
    %USERPROFILE%\Application Data\Skype\Phone\Skype.EXE
    %USERPROFILE%\application data\google talk\googletalk.exe
  • You see these entries or keys in your registry:


    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Sets value: "AdVantage"
    With data: "%USERPROFILE%\Application Data\advantage\Advantage.EXE"

    Sets value: "Skype"
    With data: "%USERPROFILE%\application data\skype\phone\skype.exe" /nosplash /minimized"

    Sets value: "googletalk"
    With data: "%USERPROFILE%\application data\google talk\googletalk.exe /autostart"





Last update 04 December 2013

 

TOP

Malware :