Follow:

 

Win32/Gamarue


Microsoft security software detects and removes this threat.

This malware family can give a malicious hacker control of your PC. The malware can also steal your sensitive information and change your PC security settings.

We've seen them installed by exploit kits and other malware. They can also be attached to spam emails.

Some variants of this family are worms and can spread by infecting removable drives (such as USB flash drives or portable hard disks). If you plug those drives into another PC, the worm will infect that PC as well. See Worm:Win32/Gamarue for more information.

Find out ways that malware can get on your PC.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Additional remediation instructions for this threat

This threat might make lasting changes to your PC's settings that won't be restored when it's cleaned. The following links can help change these settings back to what you want:

Disable Autorun

This threat tries to use the Windows Autorun function to spread via removable drives, like USB flash drives. You can disable Autorun to prevent worms from spreading:

Scan removable drives

Remember to scan any removable or portable drives. If you have Microsoft security software, see this topic on our software help page:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

We have seen Win32/Gamarue distributed via exploit kits (such as Blacole), spammed emails (such as emails with the subject Your ex sent me this pciture [sic] of you, and an attachment named Photo.zip), and other malware (for example, Win32/Dofoil and Win32/Beebone).

When run, Win32/Gamarue creates a new instance of one of the following files, and injects its payload into the new process:

When these processes are run, the malware will also run.

If Win32/Gamarue runs with administrator privileges, it might copy itself to the following folders:

The file it copies to these folders has a random file name, and uses one of the following file extensions:

  • .bat
  • .cmd
  • .com
  • .exe
  • .pif
  • .scr

Depending on whether the malware runs with administrator privileges, it might create the following registry entries to ensure it runs when you start your PC:

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
Sets value: "load"
With data: "<malware file name>"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
Sets value: "<random value>"
With data: "<malware file name>"

Spreads via...

Removable drives

Worm variants of Win32/Gamarue might create copies of themselves to the root folder of removable drives (like USB thumb drives). The copy uses a random file name, for example ccisecyal.com.

Some variants, like Worm:Win32/Gamarue.N, will drop component files into the removable drive and create a shortcut file that, when opened, will run those components. The name of the shortcut will be in the format <drive label>(<number>.GB).lnk, for example removable_disk_(4GB).lnk, and might be detected as Worm:Win32/Gamarue.gen!lnk.

These components might either install a copy of Win32/Gamarue onto your PC, or download a copy of the worm from a remote server. In the wild, we have observed the components trying to connect to the following servers:

  • conpastcon.com
  • iurhjfnmflsdf.com
  • lanamakotrue.com
  • mgrsdfkprogerg.com
  • pastinwest.com

Worm variants also create an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.

This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs.

Payload

Changes Windows security settings

Win32/Gamarue disables some Windows security settings by changing the value of the following registry entries:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "TaskbarNoNotification"
With data: "1"
Sets value: "HideSCAHealth"
With data: "1"

Steals sensitive information

Win32/Gamarue has been observed stealing the following information about your PC:

  • Operating system information
  • Local IP address
  • Root volume serial number
  • Level of privilege, for example, administrator privilege

Contacts remote hosts/lets a malicious hacker access and control your PC

Win32/Gamarue reports back to a command and control (C&C) server to report any stolen information; it then waits for further commands.

The servers that it connects to vary.

In the wild, some of the servers Gamarue contacts are:

  • cityhotlove.com
  • clothesshopuppy.com
  • conpastcon.com
  • freefinder.me
  • grrrff24213402.com
  • grrrff2452.com
  • iurhjfnmflsdf.com
  • lanamakotrue.com
  • mgrsdfkprogerg.com
  • pastinwest.com
  • puppyclothesshop1.net
  • puppyclothesshop2.net

Depending on the commands received, a malicious hacker can do different things to your PC; this includes:

  • Download and run additional files; downloaded files might be dropped to the %TEMP% folder
  • Download and run additional components which are then run each time the malware runs and stored in:
    • HKLM\SOFTWARE\Microsoft\ <random>
    • HKCU\SOFTWARE\Microsoft\ <random>
  • Update itself
  • Uninstall itself

Some variants can listen on port 8000 for incoming connections. When a connection is made by the hacker, they are given access to a command shell. From this command shell they can do a number of actions on your PC.

Analysis by Shawn Wang,Raymond Roberts, and Vincent Tiu


Symptoms

The following could indicate that you have this threat on your PC:

  • You see this entry in your registry:
     
    In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
    Value: "load"
    Data: "<malware file name>"
     
  • You might receive an email with the subject Your ex sent me this pciture [sic] of you., and an attachment named Photo.zip

Prevention


Alert level: Severe
This entry was first published on: Apr 03, 2012
This entry was updated on: Nov 20, 2014

This threat is also detected as:
No known aliases