Worm:Win32/Gamarue.A is a bot-controlled worm that spreads via removable drives. It gathers information about the infected computer and sends it back to a predefined remote web server, where it may accept further instruction and may lead to the installation of other malware.
Installation
When executed, Worm:Win32/Gamarue.A copies itself with a variable file name to the %Temp% directory. It creates the following registry entry to ensure that its installed copy executes each Windows start:
In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "load"
With data: "<random file name>.com"
In the background, the worm injects itself into Windows trusted processes, such as 'svchost.exe', 'taskmgr.exe' and 'wuauclt.exe'.
The following mutex indicates the presence of the worm on the affected computer:
Spreads via...
Removable drives
Worm:Win32/Gamarue.A copies itself to the following locations on removable drives:
<targeted drive>:\<malware file>.exe
<targeted drive>:\autorun.inf - detected as Worm:Win32/Gamarue.A
The autorun.inf files contain execution instructions for the operating system, so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
Social media
The worm may be distributed by a link via a known social network site, which redirects the user's browser to a malicious server to perform multiple browser-based exploit attacks. Worm:Win32/Gamarue.A was observed being installed as a payload after a successful exploitation.
On successful installation, the bot-controlled worm reports back to a remote web server using HTTP POST or GET request. It sends an information about the affected userwhich includes the operating system version.