Win32/Gataka DescriptionType: Trojan
Win32/Gataka is a banking Trojan that affects German banks, Dutch banks and a US newspaper. Win32/Gataka eases bogus bank transfers. Win32/Gataka has the same architecture as SpyEye in that a few plugins can be downloaded to add more functionality. Win32/Gataka is developed in C++ and is overly verbose in both the debug strings in its binaries and the amount of logging information that is transmitted back to the C&C. When activated, Win32/Gataka first inserts itself into the process called 'explorer.exe' and then continues on its installation. Win32/Gataka inserts all running processes and hooks the particular APIs 'CreateProces' and 'CreateProcessAsUser' for controlling process spawning. Before deleting the original dropper, Win32/Gataka will first copy it to a file in the Application Data folder following a predefined random behavior. In order to be persistent, Win32/Gataka adds a value to the specific registry key, pointing to the executable that was set in the Application Data folder. Win32/Gataka then proceeds to encrypt the original executable using a XOR key and saves it in the Application Data folder. The path to this encrypted file is kept in the specific registry key value, which is also XOR encrypted. When installed, Win32/Gataka will attempt to connect to the command-and-control (C&C) server by starting 'iexplore.exe', inserting it with a malevolent code and then sending encrypted POST requests.
15 security vendors flagged this file as malicious.
Screenshots & Other Imagery
SpyHunter Detects & Remove Win32/Gataka
File System Details
|#||File Name||MD5||Detection Count|
This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.