We have seen Win32/Gamarue distributed via exploit kits (like Blacole), spammed emails (like emails with the subject Your ex sent me this pciture [sic] of you., and an attachment named Photo.zip), and other malware (for example, Win32/Dofoil and Win32/Beebone).
When run, Win32/Gamarue creates a new instance of one of the following files, and injects its payload into the new process:
When these processes are run, the malware will also run.
If Win32/Gamarue runs with administrator privileges, it might copy itself to the following folders:
The file it copies to these folders has a random file name, and uses one of the following file extensions:
Depending on whether the malware runs with administrator privileges, it might create the following registry entries to ensure it runs when you start your PC:
In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
Sets value: "load"
With data: "<malware file name>"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
Sets value: "<random value>"
With data: "<malware file name>"
Worm variants of Win32/Gamarue might create copies of themselves to the root folder of removable drives (like USB thumb drives). The copy uses a random file name, for example ccisecyal.com.
Some variants, like Worm:Win32/Gamarue.N, will drop component files into the removable drive and create a shortcut file that, when opened, will run those components. The name of the shortcut will be in the format <drive label>(<number>.GB).lnk, for example removable_disk_(4GB).lnk, and might be detected as Worm:Win32/Gamarue.gen!lnk.
These components might either install a copy of Win32/Gamarue onto your PC, or might download a copy of the worm from a remote server. In the wild, we have observed the components trying to connect to the following servers:
Worm variants also create an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.
This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs.
Steals sensitive information
has been observed stealing the following information about your PC:
- Operating system information
- Local IP address
- Root volume serial number
- Level of privilege, for example, administrator privilege
Contacts remote hosts/lets backdoor access and control
reports back to a command and control (C&C) server to report back any stolen information; it then waits for further commands.
The servers that it connects to vary depending on the variant.
In the wild, some of the servers Gamarue contacts are:
Depending on the commands received, a hacker can do different things to your PC; this includes:
- Download and run additional files; downloaded files might be dropped to the %TEMP% folder
- Download and run additional components, which are then run each time the malware runs, and stored in:
- Update itself
- Uninstall itself
Some variants can listen on port 8000 for incoming connections. When a connection is made by the hacker, they are given access to a command shell. From this command shell they can do any number of actions on your PC.
Analysis by Shawn Wang and Raymond Roberts