Home / malware Worm:Win32/Gamarue.I
First posted on 29 May 2012.
Source: MicrosoftAliases :
Worm:Win32/Gamarue.I is also known as Worm.Win32.Gamarue (Ikarus).
Explanation :
Worm:Win32/Gamarue.I is malware that may spread to other computers via removable drives. It also communicates with a remote server to report infection of your computer and to download arbitrary files.
Installation
Worm:Win32/Gamarue.I may arrive in your computer as an attachment to a spammed email message. When run, it copies itself to your computer with the following naming format:
%TEMP%\ms<random string>.<extension>
where <extension> may be one of the following:
- bat
- cmd
- com
- exe
- pif
- scr
It also modifies the registry so that its copy automatically runs every time Windows starts:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "59870"
With data: "%TEMP%\ms<random string>.<extension>"
Worm:Win32/Gamarue.I creates an instance of the system process "wuauclt.exe". It then injects its code into this process.
Spreads via...
Removable drives
Depending on the malware configuration, Worm:Win32/Gamarue.I may copy itself to removable drives. It creates the file "autorun.inf", which points to its copy. This copy is automatically run if the removable or network drive is accessed from another computer in which the Autorun feature is enabled.
Payload
Communicates with a remote server
Worm:Win32/Gamarue.I tries to connect to the following servers via HTTP GET to report that it has infected your computer and to download additional arbitrary files:
- bdwea.ru
- cdwdg.ru
- dqwfe.ru
- dtwgo.ru
- dvwdq.ru
- fokuslol.com
- froukloro.com
- iloveblogging4ca.com
- kitdual.com
- leninjiv.ru
- lisijmujik.com
- qldir.ru
- rofiz.ru
- skdto.ru
- snfgb.ru
- suceh.ru
- tulee.ru
- tweck.ru
- txewp.ru
- uawineuro2012.com
- undwj.ru
- wdwfo.ru
- www.limoway.com.au
- www.westkc.org
Analysis by Hyun Choi
Last update 29 May 2012
