Home / malware Worm:Win32/Gamarue.A
First posted on 02 November 2011.
Source: SecurityHomeAliases :
There are no other names known for Worm:Win32/Gamarue.A.
Explanation :
Worm:Win32/Gamarue.A is a bot-controlled worm that spreads via removable drives. It gathers information about the infected computer and sends it back to a predefined remote web server, where it may accept further instruction and may lead to the installation of other malware.
Top
Worm:Win32/Gamarue.A is a bot-controlled worm that spreads via removable drives. It gathers information about the infected computer and sends it back to a predefined remote web server, where it may accept further instruction and may lead to the installation of other malware.
Installation
When executed, Worm:Win32/Gamarue.A copies itself with a variable file name to the %Temp% directory. It creates the following registry entry to ensure that its installed copy executes each Windows start:
In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "load"
With data: "<random file name>.com"
In the background, the worm injects itself into Windows trusted processes, such as 'svchost.exe', 'taskmgr.exe' and 'wuauclt.exe'.
The following mutex indicates the presence of the worm on the affected computer:
Spreads via...
- "Andromeda"
Removable drives
Worm:Win32/Gamarue.A copies itself to the following locations on removable drives:
<targeted drive>:\<malware file>.exe
<targeted drive>:\autorun.inf - detected as Worm:Win32/Gamarue.A
The autorun.inf files contain execution instructions for the operating system, so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
Social media
The worm may be distributed by a link via a known social network site, which redirects the user's browser to a malicious server to perform multiple browser-based exploit attacks. Worm:Win32/Gamarue.A was observed being installed as a payload after a successful exploitation.
Payload
Contacts remote hosts
On successful installation, the bot-controlled worm reports back to a remote web server using HTTP POST or GET request. It sends an information about the affected userwhich includes the Operating System version.
Worm:Win32/Gamarue.A may include list of predetermined remote hosts which serves as backup in case it fails to connect the first time. It may contact the following remote hosts using port 80:
- burumaga.net
- dl-byte.com
- haiducel.com
- labarel.com
- muieptbass.com
- multecifre.com
- randomcrappy.com
- ramaguva.com
Commonly, malware may contact a remote host for the following purposes:
- To update itself
- To confirm Internet connectivity
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
Analysis by Methusela Cebrian Ferrer
Last update 02 November 2011