Home / malwarePDF  

Win32/Gamarue


First posted on 07 April 2012.
Source: Microsoft

Aliases :

There are no other names known for Win32/Gamarue.

Explanation :

Win32/Gamarue is a family of malware that may be distributed by exploit kits, spammed emails or other malware, and has been observed stealing information from an affected user.


Top

Win32/Gamarue is a family of malware that may be distributed by exploit kits, spammed emails or other malware, and has been observed stealing information from an affected user.



Installation

Win32/Gamarue has been observed to be distributed via exploit kits (for example, Blacole), spammed emails (for example, emails with the subject 'Your ex sent me this pciture [sic] of you.', and an attachment named 'Photo.zip'), and other malware (for example, Win32/Dofoil and Win32/Beebone).

When executed, Win32/Gamarue creates a new instance of one of the following files, and injects its payload into the new process:

  • %SystemRoot%\system32\svchost.exe
  • %SystemRoot%\system32\wuauclt.exe


If Win32/Gamarue runs with administrator privileges, it may copy itself to the following folders:

  • %USERPROFILE%\Local Settings\Temp
  • %ALLUSERSPROFILE%\Local Settings\Temp


The file it copies to these folders has a random file name, and uses one of the following file extensions:

  • .bat
  • .cmd
  • .com
  • .exe
  • .pif
  • .scr


Depending on whether the malware runs with administrator privileges, it may create the following registry entries to ensure its execution at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
Sets value: "load"
With data: "<malware file name>"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
Sets value: "<random value>"
With data: "<malware file name>"



Payload

Steals sensitive information

Win32/Gamarue has been observed stealing the following information from an affected computer:

  • Operating system information
  • Local IP address
  • Root volume serial number
  • Level of privilege, for example, administrator privilege


Contacts remote hosts

Win32/Gamarue reports back to a command and control (C&C) server to report back any stole information; it then waits for further commands.

In the wild, we ave observed Gamarue contacting the following remote hosts:

  • zaletelly06.be
  • zaletelly07.be
  • napasaran.ru
  • loshatemikontara551.ru
  • serioslyf<removed>ked.ru


Depending on the commands received, an attacker can perform any number of different actions on an affected computer using Gamarue; this may include, but is not limited to, the following actions:

  • Download and execute additional files; downloaded files may be dropped to the %TEMP% folder
  • Download and execute additional components, which are executed each time the malware runs, and stored in:
    • HKLM\SOFTWARE\Microsoft\ <random>
    • HKCU\SOFTWARE\Microsoft\ <random>
  • Update itself
  • Uninstall itself




Analysis by Shawn Wang

Last update 07 April 2012

 

TOP

Malware :