Home / malware Worm:Win32/Gamarue.F
First posted on 26 March 2012.
Source: MicrosoftAliases :
There are no other names known for Worm:Win32/Gamarue.F.
Explanation :
Worm:Win32/Gamarue.F is malware that may spread to other computers via removable drives. It also communicates with a remote server to report its infection and download arbitrary files.
Top
Worm:Win32/Gamarue.F is malware that may spread to other computers via removable drives. It also communicates with a remote server to report its infection and download arbitrary files.
Installation
Worm:Win32/Gamarue.F may be encountered as an attachment to a spam email message. When run, the malware copies itself with the following naming format:
%TEMP%\ms<random string>.<extension>
Where <extension> may be one of the following:
- bat
- cmd
- com
- exe
- pif
- scr
For example, "msdubmna.exe".
It also modifies the registry so that it automatically runs its copy every time Windows starts:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "59870"
With data: "%TEMP%\ms<random string>.<extension>"
Worm:Win32/Gamarue.F also injects code into a newly created process "wuauclt.exe".
Spreads via...
Removable drives
Depending on the malware configuration, Worm:Win32/Gamarue.F may copy itself to removable drives. The malware creates the file 'autorun.inf' pointing to its copy. When the removable or network drive is accessed from another computer with the Autorun feature enabled, its copy is launched.
Payload
Communicates with a remote server
Worm:Win32/Gamarue.F tries to connect to the following servers via HTTP GET to report its infection and to download additional arbitrary files:
- atserver<random string>.info
- dangerantiddosload.ru
- g00gl3.ru
- mikkimouse.ru
- napasaran.ru
- retseptik.in
- secureguard.ru
- stroll-in.biz
- zaletelly<random string>.be
- zvezdavsem.ru
At the time of this writing, the servers and requested files were unavailable for further analysis.
Analysis by Marianne Mallen
Last update 26 March 2012
