Follow:

 

Worm:Win32/Gamarue.O


Microsoft security software detects and removes this threat.

This threat is the spreading component of the Worm:Win32/Gamarue family of worms.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Additional remediation instructions for this threat

This threat might make lasting changes to your PC's settings that won't be restored when it's cleaned. The following links can help change these settings back to what you want:

Disable Autorun

This threat tries to use the Windows Autorun function to spread via removable drives, like USB flash drives. You can disable Autorun to prevent worms from spreading:

Scan removable drives

Remember to scan any removable or portable drives. If you have Microsoft security software, see this topic on our software help page:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Gamarue.O contains code that is loaded and run by Gamarue.N. It might have the file name desktop.ini.

When run, it connects to a server at thesecond.in. From there, it downloads a file that it saves as thumbs.db. This file is then decrypted and saved as C:\Temp\TrustedInstaller.exe, then run.

Note that desktop.ini and thumbs.db are both file names commonly used by clean files, and most PCs have files with these names that aren't necessarily malware.

You can learn more about the Worm:Win32/Gamarue family in the family description.

Analysis by Ray Roberts


Symptoms

Alerts from your security software may be the only symptom.


Prevention


Alert level: Severe
First detected by definition: 1.143.2119.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Feb 12, 2013
This entry was first published on: Feb 12, 2013
This entry was updated on: Nov 20, 2014

This threat is also detected as:
No known aliases