Home / malware Win32/Gamarue
First posted on 07 April 2012.
Source: MicrosoftAliases :
There are no other names known for Win32/Gamarue.
Explanation :
Win32/Gamarue is a family of malware that may be distributed by exploit kits, spammed emails or other malware, and has been observed stealing information from an affected user.
Top
Win32/Gamarue is a family of malware that may be distributed by exploit kits, spammed emails or other malware, and has been observed stealing information from an affected user.
Installation
Win32/Gamarue has been observed to be distributed via exploit kits (for example, Blacole), spammed emails (for example, emails with the subject 'Your ex sent me this pciture [sic] of you.', and an attachment named 'Photo.zip'), and other malware (for example, Win32/Dofoil and Win32/Beebone).
When executed, Win32/Gamarue creates a new instance of one of the following files, and injects its payload into the new process:
- %SystemRoot%\system32\svchost.exe
- %SystemRoot%\system32\wuauclt.exe
If Win32/Gamarue runs with administrator privileges, it may copy itself to the following folders:
- %USERPROFILE%\Local Settings\Temp
- %ALLUSERSPROFILE%\Local Settings\Temp
The file it copies to these folders has a random file name, and uses one of the following file extensions:
- .bat
- .cmd
- .com
- .exe
- .pif
- .scr
Depending on whether the malware runs with administrator privileges, it may create the following registry entries to ensure its execution at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
Sets value: "load"
With data: "<malware file name>"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
Sets value: "<random value>"
With data: "<malware file name>"
Payload
Steals sensitive information
Win32/Gamarue has been observed stealing the following information from an affected computer:
- Operating system information
- Local IP address
- Root volume serial number
- Level of privilege, for example, administrator privilege
Contacts remote hosts
Win32/Gamarue reports back to a command and control (C&C) server to report back any stole information; it then waits for further commands.
In the wild, we ave observed Gamarue contacting the following remote hosts:
- zaletelly06.be
- zaletelly07.be
- napasaran.ru
- loshatemikontara551.ru
- serioslyf<removed>ked.ru
Depending on the commands received, an attacker can perform any number of different actions on an affected computer using Gamarue; this may include, but is not limited to, the following actions:
- Download and execute additional files; downloaded files may be dropped to the %TEMP% folder
- Download and execute additional components, which are executed each time the malware runs, and stored in:
- HKLM\SOFTWARE\Microsoft\ <random>
- HKCU\SOFTWARE\Microsoft\ <random>
- Update itself
- Uninstall itself
Analysis by Shawn Wang
Last update 07 April 2012