Installation
In the wild we have seen Worm:Win32/Gamarue.P arrive within an attached file to a spam email.
The subject of the email and the name of the attachment varies. Recent variations of the subject line include:
- "ACH transaction notification"
- "Track Advice Notification: Consignment <random letters and numbers>", for example "Track Advice Notification: Consignment RYR1211342"
The following is an example of the email message body:
ACH transaction is completed. $0423 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Receipt of payment is attached.
*** This is an automatically generated email, please do not reply ***
The attached file is a .zip file that may look life a .pdf file, to trick you into opening it. Some examples include:
- AUSPOST_Track_Advice_Notification.pdf.zip
- AWB-Avis 973-57256084.pdf.zip
- AWB-Avis_765-94666621.pdf.zip
- FuelCard-ebill6614419.PDF.zip
- FuelCard-ebill7791516.PDF.zip
- FuelCard-ebill8773152.PDF.zip
- ITINERARY5959454.zip
- Payment receipt - 884993762994.zip
- Payment_notification_id_43897345.zip
The email tells you to open the attachment to view a receipt. The attachment contains a malicious executable file, for example “payment receipt - 884993762994.exe”.
If you open the executable file, the worm copies itself to the %ALLUSERPROFILE% folder on your computer. It uses a name in the format “<random name>.<extension>”, where <extension> may be one of the following:
For example, the file could be called "dxnaya.exe". It sets the system and hidden attributes for this file.
Worm:Win32/Gamarue.P also modifies the following registry entry to ensure that its copy runs at each Windows start:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "59870"
With data: "%ALLUSERS%\<random string>.<extension>", for example "C:\Documents and Settings\all users\dxnaya.exe"
It also creates an instance of the system process “msiexec.exe” and "svchost.exe". It then injects its code into these processes to make removal more difficult.
These processes are then detected as VirTool:Win32/Injector.gen!DH
Spreads via…
Removable drives
Worm:Win32/Gamarue.P may create copies of itself on removable drives.
It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain instructions for the operating system so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
This is particularly common malware behavior, generally used in order to spread malware from computer to computer.
It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation media.
Payload
Downloads other files
Worm:Win32/Gamarue.P may connect to the following servers via HTTP POST to report that it has infected your computer and to download additional arbitrary files:
- barcolo.biz
- barthuilorpo.biz
- bromekasrte.biz
- coretec.pl
- elmara.ru
- fixt.su
- jolkipolik.biz
- kitro.pl
- margnijkie.biz
- mokilapol.biz
- morolaoply.biz
- mrakoboss.ru
- ophia.ru
- ripnhuipn.ru
- tguniverse.com
- wguniverse.com
Related encyclopedia entries
Win32/Gamarue
Analysis by Wei li