McAfee > Theat Center > Virus Detail Page

Overview

W32/Gatt is a polymorphic virus that uses the Entry Point Obscuring (EPO) technique to infect .IDC script files
that are associated with the Interactive Disassembler Pro (IDA) application.

IDA Pro is a reverse engineering tool that is very popular with security researchers. This proof of concept virus was created
to replicate only on machines that have IDA Pro installed and does not carry any payload.

Aliases

• PE_GATTMAN.A-O (Trend Micro)

• W32.Gatt (Symantec)

• W32/Gatt.A (Norman)

• W32/Gattaca (Avira)

• W32/GattMan-A (Sophos)

• Win32/Gutfuul.A (CA)

Characteristics

Upon execution, W32/Gatt creates a randomly named .exe file in the current directory and executes that file.
It then searches the current directory and sub folders for .IDC script files and infects .IDC script files using the entry point obscuring technique.

Note: Only IDC scripts that contain functions are infected and it only infects one file per execution.

The following encrypted strings are found in the virus body:

"[Gattaca] [Darkman/TKT] [Second Part To Hell/rRlf]"

Symptoms

Infected .IDC script increase in size and contain the body of the virus stored in random file locations using comments.

Method of Infection

W32/Gatt is a proof of concept virus that was created to replicate only on machines that have IDA Pro installed and does not carry any payload.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

W32/Gatt is a polymorphic virus that uses the Entry Point Obscuring (EPO) technique to infect .IDC script files
that are associated with the Interactive Disassembler Pro (IDA) application.

IDA Pro is a reverse engineering tool that is very popular with security researchers. This proof of concept virus was created
to replicate only on machines that have IDA Pro installed and does not carry any payload.

Aliases

• PE_GATTMAN.A-O (Trend Micro)

• W32.Gatt (Symantec)

• W32/Gatt.A (Norman)

• W32/Gattaca (Avira)

• W32/GattMan-A (Sophos)

• Win32/Gutfuul.A (CA)

Characteristics

Characteristics -

Upon execution, W32/Gatt creates a randomly named .exe file in the current directory and executes that file.
It then searches the current directory and sub folders for .IDC script files and infects .IDC script files using the entry point obscuring technique.

Note: Only IDC scripts that contain functions are infected and it only infects one file per execution.

The following encrypted strings are found in the virus body:

"[Gattaca] [Darkman/TKT] [Second Part To Hell/rRlf]"

Symptoms

Symptoms -

Infected .IDC script increase in size and contain the body of the virus stored in random file locations using comments.

Method of Infection

Method of Infection -

W32/Gatt is a proof of concept virus that was created to replicate only on machines that have IDA Pro installed and does not carry any payload.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A