Threat Database Worms Worm:Win32/Gamarue.I


By JubileeX in Worms

Worm:Win32/Gamarue.I ScreenshotWorm:Win32/Gamarue.I is one of the most recent variants in the Gamarue family of malware. Gamarue worm variants pose a severe threat to any computer. The Worm:Win32/Gamarue.I variant in particular adds an additional tactic to the methods already used by these kinds of worms in order to infect computers. It is important to note that malware in this family has been around for quite a while and that Gamarue variants have been studied closely by PC security researchers for years. However, Worm:Win32/Gamarue.I and some other recent variants use methods to infect computers, in addition to the traditional worm tactic of spreading from one computer to another through an external memory device such as an USB thumb drive.

Common Proliferation Methods Used by Worm:Win32/Gamarue.I

When Worm:Win32/Gamarue.I goes from one drive to another, Worm:Win32/Gamarue.I copies four essential components from one location to another. These four components are the four files used in the attack: "desktop.ini," "~$wb.usbdrv," "usb drive (1gb).lnk" and "thumbs.db." It is important to note that these files may use different names, but will retain the same extensions. The LNK file is the shortcut file for this worm. It gets its name from the detachable memory device being infected and from its size to make it appear the same as the victim's thumb drive (in this case, it claims that it is a 1GB drive). The main goal of the LNK file is to fool a computer user into clicking on it thinking that it is the icon for the detachable device's drive. When the LNK file is clicked on, it runs the "~$wb.usbdrv" file which is actually a malicious DLL file which also accesses the other two files in the infected drive. This is pretty typical of most worm infections, resulting in the installation of the worm on the target, eventually leading to its replication in additional drives that come into contact with the infected drive.

The Twist in a Worm:Win32/Gamarue.I Infection

Worm:Win32/Gamarue.I also creates an encrypted folder with additional data and a zipped executable file. Through its attack, Worm:Win32/Gamarue.I can contaminate all detachable memory devices with the malicious DLL file and its additional components. This allows Worm:Win32/Gamarue.I to proliferate more effectively than other, more traditional worms in the Gamarue family. To prevent Worm:Win32/Gamarue.I attacks, ESG security researchers strongly advise computer users to scan any detachable memory devices thoroughly with a reliable anti-malware program before attempting to access their contents.

File System Details

Worm:Win32/Gamarue.I may create the following file(s):
# File Name Detections
1. C:\Temp\TrustedInstaller.exe

Registry Details

Worm:Win32/Gamarue.I may create the following registry entry or registry entries:

1 Comment

Hello, I copied files from someone\'s computer onto my flash drive. When I connected it to my computer, I opened it and all I could see was the link . I scanned the link with Microsoft security and it deleted it. Now when I open the drive it looks empty but space is still occupied and Microsoft scan shows that my stuff is still there. View invisible files and folders doesn't help. How can I recover my files?


Most Viewed