Win32/Gataka

Posted: June 29, 2012

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	9/10
Infected PCs:	173

First Seen:	June 29, 2012
Last Seen:	January 8, 2021
OS(es) Affected:	Windows

Win32/Gataka is a banking Trojan that was originally identified in 2011 but remains an active and significant threat as of June 2012. Although Win32/Gataka's default functions are relatively limited, like other plugin-supporting PC threats such as SpyEye, Win32/Gataka includes heavy support for additional features that are used to monitor your computer and steal personal information, including passwords and other security data for bank accounts. Since Win32/Gataka uses sophisticated attacks (like code injection into unrelated processes) routinely, SpywareRemove.com malware analysts strongly suggest recruiting powerful anti-malware software for any attempt to find or delete Win32/Gataka from your computer.

Win32/Gataka – an Invisible and Readily-Expandable Thief

Win32/Gataka has been noted for its use in attack campaigns against US newspaper websites, Dutch banks and German banks, although the majority of Win32/Gataka's victims are based in Germany. Because Win32/Gataka's distribution methods include redirects from hacked websites, SpywareRemove.com malware researchers recommend that you protect your browser from exploits and live attacks even while you're browsing a site that you know to be reputable. Win32/Gataka installation may proceed without symptoms, and even Win32/Gataka's original executable is deleted to avoid detection.

Win32/Gataka avoids giving itself away by using code-injection attacks to insert its code into available memory processes, starting with explorer.exe. Internet Explorer is also used to contact a remote server wherein Win32/Gataka may receive further instructions, such as which plugins to download and use. Since its basic architecture requires Windows programs to inject itself into, Win32/Gataka is of little danger to non-Windows operating systems. Updates to Win32/Gataka can also include changes that allow Win32/Gataka to avoid anti-malware programs, and SpywareRemove.com malware researchers particularly recommend that you keep all security software as completely updated as possible to maximize your chances of detecting Win32/Gataka.

An Inspection of Each of Win32/Gataka's Tentacles

Win32/Gataka has been used for attacks as disparate as cracking account passwords with randomly-generated guesses and web page injections that trick victims into giving over their Transaction Authorization Numbers in fake 'test transfers.' Despite the wide range of techniques in use, Win32/Gataka's overall goal remains that of stealing personal information and/or money via the infected PC. SpywareRemove.com malware researchers highlight the following modules in particular as being good examples of Win32/Gataka at work:

WebInject is used to insert Java-based code into unrelated web content. This code can be used to create fraudulent or malicious content on a normally-safe site, as SpywareRemove.com malware experts found in the aforementioned TAN-theft attacks.
The Interceptor plugin allows Win32/Gataka to examine all incoming and outgoing network communication. Websites that use encryption to protect sensitive information (such as bank sites) can have their encryption replaced with fake certificates that are included with Interceptor. This allows Win32/Gataka to both monitor information for theft and create a false appearance of security while you browse the web.
NextGenFixer is a plugin that enhances the functionality of other modules by assisting Win32/Gataka with monitoring specific websites that are of interest to Win32/Gataka's criminal controllers.

Of course, the main module for Win32/Gataka coordinates all of these activities, including connecting to the relevant C&C server and installing other PC threats and add-ons as required. SpywareRemove.com malware analysts emphasize that the main danger in any Win32/Gataka attack is theft of bank account data, but other forms of information can also be stolen by Win32/Gatakam which should be removed with dedicated anti-malware software whenever necessary.

Aliases

Application/BoontyGames [Panda]APPL [Ikarus]Backdoor/Win32.Agent.gen [Antiy-AVL]APPL/BoontyGames [AntiVir]Win32.APPLBoontyGame [eSafe]W32/MalwareS.BHQT [F-Prot]Artemis!91E6D6D3D98B [McAfee]Trj/CI.A [Panda]Worm/Generic2.BFTB [AVG]Trojan-Dropper.Win32.Dapato [Ikarus]Trojan/Win32.Jorik.gen [Antiy-AVL]TR/Kazy.49970 [AntiVir]Gen:Variant.Kazy.49970 [BitDefender]Trojan.Win32.Jorik.Lethic.dp [Kaspersky]MSIL:Dropper-RR [Drp] [Avast]
More aliases (51)

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

readme (1).exe

File name: readme (1).exe
Size: 266.24 KB (266240 bytes)
MD5: 07b57a8fd33e0942e08fa449e3920264
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: July 2, 2012

file.exe

File name: file.exe
Size: 239.61 KB (239616 bytes)
MD5: 576f95b855f69981cace04eb9ff22e11
Detection count: 11
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: July 2, 2012

%COMMONPROGRAMFILES%\BOONTY Shared\Service\Boonty.exe

File name: Boonty.exe
Size: 69.12 KB (69120 bytes)
MD5: 91e6d6d3d98bb3628be4e1162e9b33eb
Detection count: 9
File type: Executable File
Mime Type: unknown/exe
Path: %COMMONPROGRAMFILES%\BOONTY Shared\Service
Group: Malware file
Last Updated: July 5, 2012

%APPDATA%\FE61.exe

File name: FE61.exe
Size: 90.11 KB (90112 bytes)
MD5: 62728cb88ac42bd5d520cf05982ea9e9
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: July 5, 2012