Explore the latest news and trends  

Keep yourself up to date with one of the following options:

  • Explore more news around Spam/Phishing, Malware/Cyber-attacks and Antivirus
  • Receive news and special offers from SPAMfighter directly in your inbox.
  • Get free tips and tricks from our blog and improve your security when surfing the net.
Go

MMPC Researchers Find Fresh Editions of Gamarue Worm

Security researchers from Microsoft malware Protection Center (MMPC) warn about Gamarue the PC-worm, which's known since a period now. But, while it isn't unique in propagating from PC to PC through detachable drives, the researchers recently discovered fresh variants, which work through certain intriguing methods.

Reportedly, when Worm:Win32/Gamarue proliferates, its 4 components get copied and pasted on the contaminated gadget, for example an USB key. These components represent the various files such as "desktop.ini," "~$wb.usbdrv ," "usb drive (1gb).lnk," and "thumbs.db."

Of these, the "usb drive (1gb).lnk," which is a shortcut file, obtains its name from the detachable gadget as well as its size -the idea being able to dupe end-users so they'll view the file.

Once viewed, usb drive (1gb).lnk runs the "~$wb.usbdrv" that's really one DLL file that goes through the matter inside "desktop.ini" as also runs the same.

Explaining further, Security Expert Raymond Roberts of MMPC Melbourne says that the code inside "desktop.ini" initially pulls down "thumbs.db" (updated copy) to substitute a file already present inside the USB key. Thereafter the code deciphers the information inside "thumbs.db" followed with copying the same onto 'C:\Temp\TrustedInstaller.exe,' Roberts adds. Softpedia.com published this dated 1st March 2013.

Surprisingly, 'C:\Temp\TrustedInstaller.exe' subsequently gets run whereby it installs one more component - Worm:Win32/Gamarue.I onto a temporary folder of the existing end-user followed with copying encrypted data onto HKCU\SOFTWARE\e_magic, a registry.

What is copied onto HKCU\SOFTWARE\e_magic is one more encoded edition of TrustedInstaller.exe that's then utilized for contaminating additional detachable drives.

And what's copied onto the HKLM\SOFTWARE\Microsoft\0022FF03 registry apparently contains one ZIP header on glancing initially; however, isn't really a ZIP folder. Indeed, after decoding the encoded data the latter appears as one zipped executable script.

Worm:Win32/Gamarue.I, mentioned earlier, executes %System%\wuauclt.exe a system file followed with inserting code inside the particular process. Thereafter the data is read that's inside the HKLM\SOFTWARE\Microsoft\0022FF03 registry as the code also decodes it utilizing its key sized 32-byte followed with extracting it with the popular aPLib zipping library.

Consequently, the worm disseminates one DLL that contaminates detachable drives present. Thus, this proliferation technique greatly enhances the malicious program's possibilities of staying unidentified.

Related article: MMPC Detects phishing E-mails that use Verizon’s Name

» SPAMfighter News - 06-03-2013

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Exchange Anti Spam Filter
Go back to previous page
Next