Follow:

You have been re-routed to the Worm:Win32/Gamarue.F write up because Worm%3aWin32%2fGamarue.F has been renamed to Worm:Win32/Gamarue.F
 

Worm:Win32/Gamarue.F


Microsoft security software detects and removes this threat.

This worm is a member of the Win32/Gamarue family. It can steal your personal information and send it to a malicious hacker.

It arrives on your PC in a spam email and can spread to other PCs. It does this by infecting removable drives that you have plugged into your PC, such as USB drives or portable hard disks. If you then plug those drives into another PC, the worm will infect that PC as well.

See our infographic to the right which shows how these worms can spread.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other hidden malware.

Disable Autorun

This threat tries to use the Windows Autorun function to spread via removable drives, such as USB flash drives. You can disable Autorun to prevent worms from spreading:

Scan removable drives

Remember to scan any removable or portable drives. If you have Microsoft security software, see this topic on our software help page:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Gamarue.F may be encountered as an attachment to a spam email message. When run, the malware copies itself into your PC using the following naming format:

%TEMP% \ms<random string>.<extension>

Where <extension> might be one of the following:

  • bat
  • cmd
  • com
  • exe
  • pif
  • scr

For example, msdubmna.exe.

It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "59870"
With data: "%TEMP%\ms<random string>.<extension>"

Gamarue.F also injects code into a newly created process named wuauclt.exe. Note that this is the same file name as the legitimate Windows Update process.

Spreads via...

Removable drives

Depending on the malware configuration, Gamarue.F may copy itself to removable drives, like USB flash drives.

It also creates an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.

This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs.

Payload

Communicates with a remote server

Gamarue.F tries to connect to the following servers via HTTP GET to report its infection and to download additional arbitrary files:

  • atserver<random string>.info
  • dangerantiddosload.ru
  • g00gl3.ru
  • mikkimouse.ru
  • napasaran.ru
  • retseptik.in
  • secureguard.ru
  • stroll-in.biz
  • zaletelly<random string>.be
  • zvezdavsem.ru

At the time of this writing, the servers and requested files were unavailable for further analysis.

Analysis by Marianne Mallen


Symptoms

Alerts from your security software may be the only symptom.


Prevention


Alert level: Severe
First detected by definition: 1.119.1045.0
Latest detected by definition: 1.185.3127.0 and higher
First detected on: Jan 31, 2012
This entry was first published on: Jan 31, 2012
This entry was updated on: Oct 27, 2014

This threat is also detected as:
No known aliases