Gattman is a new viral threat designed to spread within malware analysis labs by a new method of infection. A malicious piece of software that runs on the Windows platform, Gattman targets the utility Interactive Disassembler Pro (IDA), an analysis tool implemented on a large scale by security developers.

"W32/GattMan-A will also attempt to locate the following utilities on the infected computer's hard drive: Exe32Packer, PePack, Spec, Upx and VGAlign. A message hidden inside the virus reads: [Gattaca] [Darkman/TKT] [Second Part To Hell/rRlf]," said Sophos.

The IDC is a reversing tool used to translate machine code into readable source code. When run on a computer, Gattman will scan for and infect the IDC files, and on execution of the compromised IDC files the virus will be executed. The IDC is a script programming language used to enhance the behavior of the IDA tool. Being a polymorphic virus and targeting file-morphing utilities, Sophos researchers have concluded that the average user is less exposed to such a threat as it seems that it focuses on security companies.

"Whereas analysts are usually very careful about exchanging EXE files, since so much malware spreads that way, it is often only in professionally-run and security-conscious malware labs that the same sort of precaution is taken with every type of file," said Paul Ducklin, Head of Technology, Asia Pacific, SophosLabs. "Presumably, the authors of Gattman were hoping to embarrass incautious researchers by spreading a virus using the very tools of their trade. Although just a proof-of-concept, and unlikely to spread except amongst researchers (or malware authors) who are both curious and careless, Gattman proves once again that malware authors are often willing to look for brand new avenues of infection. In this case the virus's creators appear to be doing it for kicks rather than financial reward."