Worm:Win32/Gamarue.I is one of the most recent variants in the Gamarue family of malware. Gamarue worm variants pose a severe threat to any computer. The Worm:Win32/Gamarue.I variant in particular adds an additional tactic to the methods already used by these kinds of worms in order to infect computers. It is important to note that malware in this family has been around for quite a while and that Gamarue variants have been studied closely by PC security researchers for years. However, Worm:Win32/Gamarue.I and some other recent variants use methods to infect computers, in addition to the traditional worm tactic of spreading from one computer to another through an external memory device such as an USB thumb drive.
Common Proliferation Methods Used by Worm:Win32/Gamarue.I
When Worm:Win32/Gamarue.I goes from one drive to another, Worm:Win32/Gamarue.I copies four essential components from one location to another. These four components are the four files used in the attack: "desktop.ini," "~$wb.usbdrv," "usb drive (1gb).lnk" and "thumbs.db." It is important to note that these files may use different names, but will retain the same extensions. The LNK file is the shortcut file for this worm. It gets its name from the detachable memory device being infected and from its size to make it appear the same as the victim's thumb drive (in this case, it claims that it is a 1GB drive). The main goal of the LNK file is to fool a computer user into clicking on it thinking that it is the icon for the detachable device's drive. When the LNK file is clicked on, it runs the "~$wb.usbdrv" file which is actually a malicious DLL file which also accesses the other two files in the infected drive. This is pretty typical of most worm infections, resulting in the installation of the worm on the target, eventually leading to its replication in additional drives that come into contact with the infected drive.
The Twist in a Worm:Win32/Gamarue.I Infection
Worm:Win32/Gamarue.I also creates an encrypted folder with additional data and a zipped executable file. Through its attack, Worm:Win32/Gamarue.I can contaminate all detachable memory devices with the malicious DLL file and its additional components. This allows Worm:Win32/Gamarue.I to proliferate more effectively than other, more traditional worms in the Gamarue family. To prevent Worm:Win32/Gamarue.I attacks, ESG security researchers strongly advise computer users to scan any detachable memory devices thoroughly with a reliable anti-malware program before attempting to access their contents.