Home / malware Win32.Gattman.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Gattman.A.
Explanation :
This is a concept virus, it infects only IDC files (Interactive DisAssembler scripts). It infects one IDC file at a time, and the IDC file grows in size with about 800 KB. The virus enumerates files from the current directory, and checks the SHA1 sum of the extension for a match.
The IDC file once ran, drops a 16384-byte executable file which has only one letter as name and exe extension (for instance G.EXE), and executes it. That is the very same executable that infects IDC files.
To check that a IDC file has already been infected, the virus checks if the size is bigger than 0x66666 bytes (about 400 KB).
The infected script is very much polymorphic and that is done by adding lots of comments with garbage (for instance: /*-%VomsL_Ku*/). The comments can contain non-printable characters. A variable with random name is added in one function already present in the script, and an exe file is created then written using the script functions: writelong, writeshort, writestr or putchar.
As this is a concept virus, it doesn't do any other malware action instead of infecting one IDC file in the current directory.
The infected IDC files are detected by BitDefender as Win32.Gattman.IDC.Last update 21 November 2011
