PUA.Win32.GMER.A

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Potentially Unwanted Application drops the following component file(s):

• %User Temp%\{8 Random Characters}.sys

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Autostart Technique

This Potentially Unwanted Application registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\{8 Random Characters}

Other System Modifications

This Potentially Unwanted Application deletes the following files:

• %User Temp%\{8 Random Characters}.sys

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\{8 Random Characters}
Type = 1

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\{8 Random Characters}
ErrorControl = 1

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\{8 Random Characters}
Start = 3

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\{8 Random Characters}
ImagePath = \??\%User Temp%\{8 Random Characters}.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\{8 Random Characters}
Group = Base

Information Theft

This Potentially Unwanted Application gathers the following data:

• List of Drives
• Computer Name
• Running Processes
• Process Modules
• Running Services
• Computer Files
• Disk Sectors
• System Registries
• Clipboard Data

Other Details

This Potentially Unwanted Application does the following:

• It loads the dropped file as a driver
  • %User Temp%\{8 Random Characters}.sys
• It displays the following image
  
• It displays and can delete, copy, and kill files and folders
• It displays and can create and kill system processes
• It displays process modules
• It can edit, disable and delete services
• It displays and can edit system registry data
• It can export registry data and save it in a file
• It can execute shell commands
• It can restore SSDT tables
• It can restore the Master Boot Record (MBR)
• The tool scans for the following:
  • Hidden Processes
  • Hidden Threads
  • Hidden Modules
  • Hidden Services
  • Hidden Files
  • Hidden Disk Sectors (MBR)
  • Hidden Alternate Data Streams
  • Hidden Registry Keys
  • Drivers Hooking SSDT
  • Drivers Hooking IDT
  • Drivers Hooking IRP calls
  • Inline Hooks
• It displays process libraries and threads
• It can restart the machine
• This tool has been abused by other malware to terminate processes relating to security-related software via its -killfile option