Aliases: PE_GATTMAN.A-O, W32.Gatt, W32/Gatt.A, W32/Gattaca, W32/GattMan-A
Variants: W32/GattMan-A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 02 Jul 2006
Damage: Low

Characteristics: W32.Gatt is very different from other viruses since it mostly searches for IDC script files and infects it consequently. This is also considered as a proof of concept virus intended only to duplicate on computers with IDA Pro installed. This does not have or even carry any payload. These “IDC” files are what are known as “Interactive Disassembler application.” IDA Pro is used mostly as a reverse engineering tool. Security researchers usually use this application for checks. When it is infected, the filename changes and may be detected as “W32.Gatt!idc.” Reports also say that it creates a randomly named “.exe” file in the current directory and all subdirectories and consequently, automatically opens that file.

More details about W32.Gatt

Only IDC scripts that contain functions are infected and it only infects one file per execution. All platforms of windows are vulnerable to this worm, may it be Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT and Windows XP. The virus is a proof of concept malware and does nothing but replicate. The worm then spreads by copying itself with the hidden and system attributes set to a fake Recycled folder.It also sometimes changes the boot sector and this could result in the inability of the computer to run. To kill the processes, you may need to go to Windows Task Manager and click “Processes”. This will execute the Run tool. Then type in taskmgrand and press OK. These processes will open the Windows Task Manager. Check all the list of files actively running and find all the .exe files and delete them.

The W32.Gatt worm is usually installed by taking undue advantage of weaknesses in the user’s security system. It is installed without the consent and active participation of the user and is usually made a component of a seemingly legitimate computer program. This malware can be received by the user through e-mails, newsgroups, Internal Relay Chat (IRC) and P2P networks. Some websites are also notoriously claimed to download and install the worm without the user even knowing it. This worm operates on systems operating under the Windows platform and when launched, it creates a number of registry modifications to enable it carry out its payload. It creates various registry keys and registry values including a registry value that allows it to launch on every instance of system startup.