Home / malware TrojanDropper:Win32/Gamarue.A
First posted on 14 January 2020.
Source: MicrosoftAliases :
TrojanDropper:Win32/Gamarue.A is also known as Trojan/Win32.PornoAsset, Trojan-Ransom.Win32.PornoAsset.bucu, BackDoor.Andromeda.22, Worm.Win32.Gamarue, PWS-Zbot.gen.ary, Mal/ZboCheMan-D.
Explanation :
Installation
TrojanDropper:Win32/Gamarue.A dopies itself into your computer as "%TEMP% 7.tmp".
It creates the following registry entries as part of its installation process:
In subkey: HKLMSOFTWAREMicrosoft
Sets value: ""
With data: "p...."
In subkey: HKCUSOFTWARE
Sets value: "e_magic"
With data: ""
Payload
Drops and runs files
TrojanDropper:Win32/Gamarue.A drops and runs files, which might be detected as other malware. The dropped file might belong to the Win32/Gamarue family of malware.
The dropped file is saved in theĀ %TEMP% folder, usually with a random file name.
Additional information
This trojan checks if the Kaspersky program "avp.exe" is running in your computer. If it is, then this trojan drops the file using the file name "$MSI~msiexec.exe" (where $ denotes a hidden folder). It might do this to try to pass itself off as a Microsoft file.
Analysis by Chris StubbsLast update 14 January 2020