My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Gattman.A

VERY LOW
VERY LOW
16384 bytes

Symptoms

Unusually big IDC files (more than 800KB).

Removal instructions:

Please let BitDefender delete/disinfect your files.

Analyzed By

Mihai Neagu, virus researcher

Technical Description:

This is a concept virus, it infects only IDC files (Interactive DisAssembler scripts). It infects one IDC file at a time, and the IDC file grows in size with about 800 KB. The virus enumerates files from the current directory, and checks the SHA1 sum of the extension for a match.

The IDC file once ran, drops a 16384-byte executable file which has only one letter as name and exe extension (for instance G.EXE), and executes it. That is the very same executable that infects IDC files.

To check that a IDC file has already been infected, the virus checks if the size is bigger than 0x66666 bytes (about 400 KB).

The infected script is very much polymorphic and that is done by adding lots of comments with garbage (for instance: /*-%VomsL_Ku*/). The comments can contain non-printable characters. A variable with random name is added in one function already present in the script, and an exe file is created then written using the script functions: writelong, writeshort, writestr or putchar.

As this is a concept virus, it doesn't do any other malware action instead of infecting one IDC file in the current directory.

The infected IDC files are detected by BitDefender as Win32.Gattman.IDC.