Follow:

You have been re-routed to the Trojan:Win32/Gataka.D write up because Trojan%3aWin32%2fGataka.D has been renamed to Trojan:Win32/Gataka.D
 

Trojan:Win32/Gataka.D


Trojan:Win32/Gataka.D is a trojan that allows backdoor access and control of your computer. It also monitors your Internet searches and various processes related to software installed on your computer.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

Trojan:Win32/Gataka.D is a trojan that allows backdoor access and control of your computer. It also monitors your Internet searches and various processes related to software installed on your computer.

Installation

Trojan:Win32/Gataka.D can be bundled with other software that you may have downloaded via peer-to-peer sharing.

When run, Trojan:Win32/Gataka.D drops the following files:

  • %APPDATA%\TeamViewer\{GUID}\1FA9DA03D577491EA1C272CF0920130A.dat - this file contains binary data that is clean, and may be dropped by the trojan to serve as an "infection marker" (a file or modification to your computer that identifies the presence and version of the malware on your computer)
  • %APPDATA%\Sun\{GUID}\UpgradeHelper.exe - this is a copy of the trojan

The trojan modifies the following registry entry to ensure that its copy runs at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
Sets value: "UpgradeHelper"
With data: "%APPDATA%\Sun\{GUID}\UpgradeHelper.exe"

Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista and 7, the default location is "C:\Users\<user>\AppData\Roaming".

Trojan:Win32/Gataka.D  deletes itself after execution.
Payload

Allows backdoor access and control

The trojan attempts to connect to the server "this-domain-is-sinkholed-by.abuse.ch" and receive commands. For a list of these commands, please see the Additional information section in this entry.

Using backdoor access and control, an attacker may also be able to perform the following actions:

  • Download and execute arbitrary files
  • Upload files
  • Spread to other computers using various methods of propagation
  • Log keystrokes or steal sensitive data
  • Modify system settings
  • Run or terminate applications
  • Delete files

At the time of analysis, the server was down. Therefore, we are unable to identify the precise nature of these behaviors.

Monitors Internet searches

When run, the trojan will load itself into memory. It monitors searches you make in the following Internet browsers by injecting and running part of its code into their processes:

  • Internet Explorer
  • Maxthon
  • Mozilla Firefox
  • Opera

In the wild, we have observed the trojan sending the data it collects from your searches to the remote server at "dns-ping.cc/mak/g.php".

At the time of analysis, the server was down. Therefore, we are unable to determine the nature of the information the trojan sends.

Monitors processes

Trojan:Win32/Gataka.D injects code into various proceses, including "explorer.exe" and "sol.exe", so as to monitor and retrieve information about installed programs on your computer. We have observed the trojan sending this information to a remote server at "dns-ping.cc/mak/g.php".

 In the wild, we have observed the trojan also injecting code and monitoring processes related to the following software and software developers:

  • Adobe
  • Apple
  • Dropbox
  • Google
  • Google Inc.
  • Identities
  • LicenseValidator
  • Macromedia
  • Media Center Programs
  • Media Player Classic
  • Microsoft
  • Microsoft Corporation
  • Mozilla
  • NtCoreDefender
  • NtGarbageCollector
  • Opera
  • RdcRpcController
  • renovator
  • RpcLowAccessPipe
  • RpcLowReader
  • RpcNtComm
  • RpcScheduler
  • RpcSearchIndexer
  • RpcWin32Router
  • RpcWin32Service
  • SearchHelper
  • Skype
  • TeamViewer
  • Upgrade
  • UpgradeChecker
  • UpgradeHelper
  • Validator
  • Win16Communicator
  • Win32Defender
  • Win32GlobalFinder
  • Win32RpcAccessCtrl
  • Win32RpcDecrypt
  • Win32Scheduler
  • Win32UserFinder
  • Win64Expected
  • Win64GarbageCollector
  • Windows Desktop Search
  • Windows Search
  • WindowsRpcAccess
  • WinRAR

The trojan also monitors and gathers information about running and newly created processes by hooking into the following APIs:

  • ADVAPI32.CreateProcessAsUserA
  • ADVAPI32.CreateProcessAsUserW
  • Kernel32.CreateProcessA
  • Kernel32.CreateProcessW

Contacts remote host

Trojan:Win32/Gataka.D sends a message via HTTP POST to the following address:

dns-ping.cc/mak/g.php

HTTP POST is a type of basic Internet communication between your computer and a website.

We have observed the following message, specifying the time and date of infection, sent to the remote host:

[2012-08-30 09:20:45]:[1]:[1.24]:[4]:[[.\HermesCore.cpp(1893)] PPM: 1]:[997]:[C:\Program Files\Internet Explorer\iexplore.exe(1824)]

Modifies system settings

The trojan modifies the registry subkey "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" with the following values and data, possibly to use as an "infection marker" to track the currently installed version of the trojan on your computer:

Sets value: "StartCurrId"
With data: "dword:00000009"

Sets value: "StartCurrMask"
With data: "dword:0000003e"

Sets value: "StartMainId"
With data: "dword:0000000a"

Sets value: "StartMainMask"
With data: "dword:0000007e"

Sets value: "PersistFile"
With data: "dword:00000003"

Sets value: "PersistFolder"
With data: "dword:00000002"

Sets value: "StartMenuMask"
With data: "dword:00015be1"

Sets value: "StartProcIrq"
With data: "dword:0000000c"

Sets value: "CustomBarMenu
With data: "<hexidecimal values>"

Additional information

We have observed the following commands being sent by a remote attacker to an infected computer:

  • AutoRunControllerLoop: Unable Setup AutoRun
  • AutoRunControllerLoop: Unable to Open key
  • DetectAppType: An Unexpected Errror Occurred
  • GeneratePanelDataPackage: Data Compression Failed
  • GetAutoRunValueName: Unable to Get Known File Name
  • GetAutoRunValueName: Unable to Open Reg key
  • GetAutoRunValueName: Unable to query Reg value
  • GetPipeName: Unable to Open Reg Key
  • GetPipeName: Unable to Store In Reg
  • GetReserveCopyFilePath: Unable to Open Key
  • GetServerPipeName: Unable to Open Reg Key
  • GetServerPipeName: Unable to Query Reg Value
  • InitModulesInfo: There are %u modules initialized
  • InstallBot: Unable Setup AutoRun
  • InstallBot: Unable to get installer path
  • InstallBot: Unable to remove installer
  • LoadAllModules: Failed: %u
  • MainCoreLoop: App Type: %d IL: %d
  • MainCoreLoop: Build: %u
  • MainCoreLoop: UNable to Setup Main Timer
  • ParsePanelReply: Buffer Allocation Failed, Size: %u
  • ParsePanelReply: Success: %d Failed: %d
  • ParsePanelReply: Unable to Load Attached Data, Size: %u, Buffer unread Size: %u
  • ParsePanelReply: Wrong Pckage Magic Value: %u
  • PPM: %d
  • ProcessDataSender: Data: %u Sending Failed
  • ProcessDataSender: Out: %u In: %u
  • ProcessDataSender: Result: %d
  • ProcessHandShakeMessage: %u %d
  • ProcessHandShakeMessage: %u Load: %d
  • ProcessPanelPackage: Buffer : %u PayLoad: %u
  • ProcessPanelPackage: Buffer size: %u
  • ProcessPanelPackage: CheckSumm: %u Calculated: %u
  • ProcessPanelPackage: Data Decompression Failed
  • ProcessPanelPackage: Module: %u CMD: %u CRC: %u
  • ProcessPanelPackage: NOT Signet Package: %u
  • ProcessPanelPackage: Not Supported protocol: %u
  • ProcessPanelPackage: Uncompressed Size: %u is NOT equal to Real Size: %u
  • ProcessPanelPackage: Wrong Uncompressed Data Size: %u
  • ProcessPipeMessages: Msg Size: %u Buffer Size: %u
  • ProcessSendDataMessage: Data Size: %u
  • ProcessSendDataMessage: NOBRO: %d
  • ProcessSendDataMessage: Thread Failed on Create
  • RunBrowser: Unable to Start, execute result: %d
  • SaveReserveCopy: Unable to Open Key
  • SaveReserveCopy: Unable to Save Reserve
  • SaveReserveCopy: Unable to Store Value
  • SendDataToPanel: API initialization failed
  • SetModuleInjectionLevel: %u %d %d
  • SetupAutoRun: Unable to Get AppData Path
  • StartAutoRunController: Unable to Create the Thread
  • StartAutoRunController: Unalble to Create Event
  • StartPipeServerRoutine: Failed on Start
  • StartWork: Call
  • StartWork: Unable to Create Main Proc
  • StopWork: Wait Failed

Analysis by Ferdinand Plazo


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:

    %APPDATA%\TeamViewer\{GUID}\1FA9DA03D577491EA1C272CF0920130A.dat
    %APPDATA%\Sun\{GUID}\UpgradeHelper.exe
     
  • The presence of the following registry modifications:

    In subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
    Sets value: "UpgradeHelper"
    With data: "%APPDATA%\Sun\{GUID}\UpgradeHelper.exe"

    In subkey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

    Sets value: "StartCurrId"
    With data: "dword:00000009"

    Sets value: "StartCurrMask"
    With data: "dword:0000003e"

    Sets value: "StartMainId"
    With data: "dword:0000000a"

    Sets value: "StartMainMask"
    With data: "dword:0000007e"

    Sets value: "PersistFile"
    With data: "dword:00000003"

    Sets value: "PersistFolder"
    With data: "dword:00000002"

    Sets value: "StartMenuMask"
    With data: "dword:00015be1"

    Sets value: "StartProcIrq"
    With data: "dword:0000000c"

    Sets value: "CustomBarMenu
    With data: "<hexidecimal values>"

Prevention


Alert level: Severe
First detected by definition: 1.127.131.0
Latest detected by definition: 1.177.1148.0 and higher
First detected on: May 17, 2012
This entry was first published on: May 17, 2012
This entry was updated on: Sep 18, 2012

This threat is also detected as:
  • Spyware/Win32.Zbot (AhnLab)
  • TR/Graftor.39455 (Avira)
  • Win32.Expiro.44 (Dr.Web)