WORM_GAMARUE.LJG
WORM_GAMARUE.LJG is one of the many variants of Gamarue, a dangerous worm that ESG security analysts have observed in various high profile malware attacks. The WORM_GAMARUE.LJG variant downloads its components and malicious code from SourceForge, a popular and legitimate online code repository. WORM_GAMARUE.LJG is part of an increasing trend of hosting malicious components on legitimate hosting services, a practice that gives malware developers the advantage of avoiding detection and taking advantage of their host's credentials to lend reputability to their own malicious components.
Table of Contents
Components Associated with WORM_GAMARUE.LJG Have Been Found on SourceForge
There are four files that are involved in the WORM_GAMARUE.LJG infection process. Once these enter a computer, typically through an infected external drive (a common tactic used by many worms) they carry out an attack that drops the main WORM_GAMARUE.LJG file and executes its content. The main payload of WORM_GAMARUE.LJG is to decrypt and update itself and then to connect to SourceForge to download its malicious components. These are located in a SourceForge project named 'tradingfiles.' Other malicious projects on SourceForge have been identified, with the names 'ldjfdkladf' and 'stanteam'.
How is WORM_GAMARUE.LJG Disseminated?
WORM_GAMARUE.LJG uses two typical distribution strategies:
- WORM_GAMARUE.LJG is often distributed through attack websites using exploit kits just as the Black Hole Exploit Kit. When a computer user visits these malicious websites, the exploit kit forces the victim's web browser to download and install WORM_GAMARUE.LJG by taking advantage of known software vulnerabilities. Often computer users are led to these attack websites through malicious links distributed using social engineering or via JavaScript redirect scripts or browser hijacking Trojans which take the victim's web browser to the attack website without the computer user's permission.
- WORM_GAMARUE.LJG also uses worm techniques to spread from one computer to another. The most common of these is infected removable memory devices, installing itself in hidden folders that are accessed through a disguised shortcut. For example, an icon on the infected drive may appear to be a harmless folder. However, it is actually a shortcut that has been disguised with a folder icon. When clicked on, it actually executes the malicious executable file associated with WORM_GAMARUE.LJG. To a lesser extent, these kinds of attacks also use Autorun exploits, although Windows updates have closed a lot of the vulnerabilities that allowed these kinds of worms to thrive using these kinds of techniques.
File System Details
| # | File Name |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
|---|---|---|
| 1. | ldjfdkladf | |
| 2. | stanteam |
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.