WORM_GAMARUE.DA

This Trojan may be downloaded by other malware/grayware from remote sites. It may be dropped by other malware.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.

Arrival Details

This Trojan may be downloaded by the following malware/grayware from remote sites:

• http://{BLOCKED}r.dl.{BLOCKED}forge.net/project/stubpe/a/zwz - (encrypted copy)

It may be dropped by the following malware:

• TROJ_GAMARUE.SM

Installation

This Trojan creates the following folders:

• %User Temp%\_install_

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It injects codes into the following process(es):

• wuauclt.exe

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
{random number} = "%All Users Profile%\Temp\ms{random}.{extension}"

Other System Modifications

This Trojan modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

(Note: The default value data of the said registry entry is 1.)

Backdoor Routine

This Trojan executes the following commands from a remote malicious user:

• Download a file from C&C server and save it as %User Temp%\{random number}.exe
• Download a file from C&C server and save it as %System Root%\Documents and Settings\All Users\ms{random number}.dat and loads it
• Start a process
• Uninstall itself
• Remote command prompt

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It connects to the following websites to send and receive information:

• http://{BLOCKED}cgrvkj.ru/in.php
• http://{BLOCKED}tvmein.in/in.php
• http://{BLOCKED}wsqhct.in/in.php
• http://{BLOCKED}onzmwuehky.nl/in.php
• http://{BLOCKED}ososoft.ru/in.php

Dropping Routine

This Trojan drops the following files:

• %All Users Profile%\Local Settings\Temp\ms{random}.{extension}
• %User Temp%\_install_\msiexec.exe

(Note: %All Users Profile% is the All Users or Common profile folder, which is C:\Documents and Settings\All Users in Windows 2000, XP, and Server 2003, and C:\ProgramData in Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.

NOTES:

The {extension} of the dropped file can be any of the following:

• BAT
• CMD
• COM
• EXE
• PIF
• SCR

It propagates by dropping the following component files in removable drives:

• {drive name} ({drive size}).LNK - LNK_GAMARUE.DA
• ~${random}.{diskformat} - TROJ_GAMARUE.DA
• desktop.ini - TROJ_GAMARUE.SM

It copies all the user's folders and files in the removable drive into a hidden folder with name of ASCII 255, which is displayed as a special space character.

It sets the attribute of all files and folders in removable drives to Hidden.

It checks if it is being run in VMWare environment.