A new virus was detected in early July that reportedly targets AV researchers. The virus, know as Gatt / Gattaca, will scan an infected system for any files with the .idc extension and infect them. These .idc files are disassembler files used by Interactive Disassembler Pro, a very common tool used by AV researchers to reverse engineer malware.
Why do I say this sort of targets AV researchers? The virus doesn’t do anything as there is no malicious payload. It just replicates it self to other .idc files. So why write something like this? I agree with Mikko from F-Secure, “I think it was written to just show off it can be done”. In typical hax0r tradition there is a hidden message / shout out in the file accoding to this Sophos analysis. For the curious I’ve added links to several AV companies analyses of the virus.
And for the REALLY curious, pick up a copy of Ed Skoudis’ book, Malware: Fighting Malicious Code. I am just finishing the book now and will post a review soon.
| Links to W32.Gatt / W32.Gattaca / W32.Gattmann analysis Symantec Sophos McAfee Trend Micro |
Leave a Reply