MMPC Researchers Find Fresh Editions of Gamarue Worm

Security researchers from Microsoft malware Protection Center (MMPC) warn about Gamarue the PC-worm, which's known since a period now. But, while it isn't unique in propagating from PC to PC through detachable drives, the researchers recently discovered fresh variants, which work through certain intriguing methods.

Reportedly, when Worm:Win32/Gamarue proliferates, its 4 components get copied and pasted on the contaminated gadget, for example an USB key. These components represent the various files such as "desktop.ini," "~$wb.usbdrv ," "usb drive (1gb).lnk," and "thumbs.db."

Of these, the "usb drive (1gb).lnk," which is a shortcut file, obtains its name from the detachable gadget as well as its size -the idea being able to dupe end-users so they'll view the file.

Once viewed, usb drive (1gb).lnk runs the "~$wb.usbdrv" that's really one DLL file that goes through the matter inside "desktop.ini" as also runs the same.

Explaining further, Security Expert Raymond Roberts of MMPC Melbourne says that the code inside "desktop.ini" initially pulls down "thumbs.db" (updated copy) to substitute a file already present inside the USB key. Thereafter the code deciphers the information inside "thumbs.db" followed with copying the same onto 'C:\Temp\TrustedInstaller.exe,' Roberts adds. Softpedia.com published this dated 1st March 2013.

Surprisingly, 'C:\Temp\TrustedInstaller.exe' subsequently gets run whereby it installs one more component - Worm:Win32/Gamarue.I onto a temporary folder of the existing end-user followed with copying encrypted data onto HKCU\SOFTWARE\e_magic, a registry.

What is copied onto HKCU\SOFTWARE\e_magic is one more encoded edition of TrustedInstaller.exe that's then utilized for contaminating additional detachable drives.

And what's copied onto the HKLM\SOFTWARE\Microsoft\0022FF03 registry apparently contains one ZIP header on glancing initially; however, isn't really a ZIP folder. Indeed, after decoding the encoded data the latter appears as one zipped executable script.

Worm:Win32/Gamarue.I, mentioned earlier, executes %System%\wuauclt.exe a system file followed with inserting code inside the particular process. Thereafter the data is read that's inside the HKLM\SOFTWARE\Microsoft\0022FF03 registry as the code also decodes it utilizing its key sized 32-byte followed with extracting it with the popular aPLib zipping library.

Consequently, the worm disseminates one DLL that contaminates detachable drives present. Thus, this proliferation technique greatly enhances the malicious program's possibilities of staying unidentified.

Related article: MMPC Detects phishing E-mails that use Verizon’s Name

» SPAMfighter News - 3/6/2013