General Explanation
Type: Worm
Degree of destruction: high
Prevalence: high
Names of the malware:
- USBWorm.Win32.Gamarue
- Worm.Win32.Gamarue
- Downloader.Win32.Gamarue
- Packer.Win32.Gamarue
- Dropper.Win32.Gamarue
- Backdoor.Win32.Gamarue
- Worm.Win32.Debris
What is the Worm?
Computer worms such as Gamarue are types of malware that can reproduce themselves automatically. For permanence, worms will set ways to keep the infection in every system boot. The prominent feature of worms is their distribution method which is generally performed through portable drives and share directories in the network.
What is Gamarue malware?
Gamarue malware is a worm type and infects portable drives (Flash, External Hard, etc.) by recognizing them. This malware can download and execute other malicious files by connecting to the network and injecting its code into the healthy processes of the victim’s system and also, steal information from the victim’s system and send them to specific servers.
Technical Explanation
One of the signs of infection to Gamarue malware is executing processes such as misexec.exe, wuaucld.exe, and svshost.exe which the parent name is not specified for them. Sometimes a process with a random name and extension is running which is the same as msiexec.exe. Also, some files and directories are not viewed in the system, even if you change the setting to “showing files and directories and hidden drives”. Also, the following registry keys are a sign of system infection to this malware.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run- SunJavaUpdateSched = “%User Profile%\svchost.exe”
HKCU\Software- ImageBase = “{random values}”
HKLM\SOFTWARE\Microsoft- 0022FF03= “{random values}”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run- 419=”[SystemRoot]:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\{random}.{extension name}
The existence of files and directories in the following path can be a sign of infection to this malware
%User Temp%\Qalugafisoje.gek%User Temp%\tunupugeyi.exe%User Temp%\Yuzohalojig.dll%User Temp%\Xateyilobak.dll%User Temp%\cunapoqaga.dll%User Temp%\Jotelodoris.dll%User Temp%\sujifecezav.dll%User Temp%\luporejebe.dll%User Temp%\pazojarofina.dll%User Temp%\Hefumonave.dll%User Temp%\Notirolukih.Xik%User Temp%\gihifolame.exe%User Temp%\#MSI\msiexec.exe%User Temp%\Notirolukih.Xik%User Profile%\svchost.exe”- Creating a link with no name directory inside the portable dire
This malware will be re-run after every victim’s system boot. This malware acts such that it creates a no-name directory in the portable drive and all contents of the portable drive will be moved to this directory. Also, a detour file such as the portable drive icon will be created in the portable drive space which is directed to the malware execution file inside the no-name directory. In the following, the victim by running the detour and accessing the files leads to the execution of the worm on a system that the portable drive is connected to. The malware will download its malicious files from a specific server after infecting the system. Yet, this malware downloaded important and malicious malware such as Fareit, Tropig/Sinowal, Zeus, etc., and infected the victim’s system to them. Some types of malware are sensitive to the sandbox and will stop their malicious operation if it detects such an environment.
How to deal with it and disinfect the system
Padvish Antivirus by having the UMP feature which is a part of behavioral protection prevents the system from being infected by the portable drive. Therefore, to prevent infecting all types of malware that are transferred by the portable drive such as Gamarue malware, it is recommended to install Padvish to prevent malware from entering the system.
If your system is infected with Gamarue malware, do as follows:
- Install Padvish on your system
- Connect the portable drive to your system
- Scan the portable drive with Padvish to disinfect both your system and the portable drive
Also, as a temporary solution, you can download the Gamarue cleaner from the Padvish website and disinfect your system.