Gamarue.F may be encountered as an attachment to a spam email message. When run, the malware copies itself into your PC using the following naming format:
Where <extension> might be one of the following:
For example, msdubmna.exe.
It changes the following registry entry so that it runs each time you start your PC:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "59870"
With data: "%TEMP%\ms<random string>.<extension>"
Gamarue.F also injects code into a newly created process named wuauclt.exe. Note that this is the same file name as the legitimate Windows Update process.
Depending on the malware configuration, Gamarue.F may copy itself to removable drives, like USB flash drives.
It also creates an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.
This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs.
Communicates with a remote server
Gamarue.F tries to connect to the following servers via HTTP GET to report its infection and to download additional arbitrary files:
At the time of this writing, the servers and requested files were unavailable for further analysis.
Analysis by Marianne Mallen