WORM_GAMARUE.LJG

This worm may be downloaded by other malware/grayware from remote sites. It may be dropped by other malware.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

Arrival Details

This worm may be downloaded by the following malware/grayware from remote sites:

• http://master.dl.{BLOCKED}forge.net/project/tradingfiles/111/m - (encrypted copy of itself)

It may be dropped by the following malware:

• TROJ_GAMARUE.RMA

Installation

This worm creates the following folders:

• %User Temp%\_setup_

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It injects codes into the following process(es):

• wuauclt.exe

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
{random number} = "%All Users Profile%\Local Settings\Temp\{random filename}.exe"

Other System Modifications

This worm adds the following registry entries:

HKEY_CURRENT_USER\Software
ImageBase = "{encrypted copy of itself}"

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

(Note: The default value data of the said registry entry is 1.)

Backdoor Routine

This worm executes the following commands from a remote malicious user:

• Download a file
• Start a process
• Uninstall itself
• Remote command prompt

It connects to the following websites to send and receive information:

• http://c.{BLOCKED}eavy.ru
• http://{BLOCKED}d.ru/static.php
• http://{BLOCKED}iuojy.ru/2ldr.php
• http://{BLOCKED}iuojy.ru/3ldr.php
• http://{BLOCKED}iuojy.ru/41ldr.php
• http://{BLOCKED}iuojy.ru/51ldr.php
• http://{BLOCKED}iuojy.ru/6ldr.php

Dropping Routine

This worm drops the following files:

• %All Users Profile%\Local Settings\Temp\{random filename}.exe - WORM_GAMARUE.LJG
• %User Temp%\_setup_\msiexec.exe - WORM_GAMARUE.LJG

(Note: %All Users Profile% is the All Users or Common profile folder, which is C:\Documents and Settings\All Users in Windows 2000, XP, and Server 2003, and C:\ProgramData in Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

NOTES:
It propagates by dropping the following component files in removable drives:

• {drive name} ({drive size}).LNK - LNK_GAMARUE.RMA
• _{random}.{random extension} - TROJ_GAMARUE.LJG
• desktop.ini - TROJ_GAMARUE.RMA

It copies all the user's folders and files in the removable drive into a hidden folder with name of ASCII 255 which is displayed as a special space character.

It sets the attribute of all files and folders in removable drives to Hidden.