Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:30/08/2012
Type:Backdoor Server
In the wild:No
Reported Infections:High
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:58.368 Bytes
MD5 checksum:3CCFB3CA8C0AAAA4E93856BC79570106
VDF version: - Thursday, August 30, 2012
IVDF version: - Thursday, August 30, 2012

 General Method of propagation:
   • Email

     Microsoft: Win32/Gamarue.I

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7

Side effects:
   • Third party control
   • Lowers security settings
   • Registry modification

 Files It drops copies of itself using a filename from lists
To: C:\Documents and Settings\All Users Using one of the following names:
   • svchost.exe

To: %ALLUSERSPROFILE%\Local Settings\Temp Using one of the following names:
   • %random character string%.bat
   • %random character string%.pif
   • %random character string%.scr
   • %random character

 Registry To each registry key one of the values is added in order to run the processes after reboot:

   • "SunJavaUpdateSched"="%ALLUSERSPROFILE%\svchost.exe"

   • "%number%"="%ALLUSERSPROFILE%\Local Settings\Temp\%random character string%.pif"

   • "%number%"="%ALLUSERSPROFILE%\Local Settings\Temp\%random character string%.bat"

   • "%number%"="%ALLUSERSPROFILE%\Local Settings\Temp\%random character string%.scr"

   • "%number%"="%ALLUSERSPROFILE%\Local Settings\Temp\%random character"

 Email It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:

The sender address is spoofed.
The sender of the email is the following:

The following:
   • Your friend wants to share photos and updates with you

– Contains HTML code.
The body of the email is the following:

   • One of your friends wants to share photos and updates with you.
     One of your friends has invited you to Facebook. After you sign up, you'll be able to stay connected with friends by sharing photos and videos, posting status updates, sending messages and more.

The filename of the attachment is:

The attachment is an archive containing a copy of the malware itself.

The email looks like the following:

 Backdoor The following port is opened:

%ALLUSERSPROFILE%\svchost.exe on TCP port 8000 in order to provide a remote Shell.

Contact server:
The following:
   • http://stripe**********image.php

Once connected it will retrieve an additional list of servers.
As a result it may send information and remote control could be provided.

Sends information about:
     Current malware status

 Injection – It injects itself into a process.

    Process name:
   • %SYSDIR%\wuauclt.exe

 File details Programming language:
The malware program was written in MS Visual C++.

Encrypted - The virus code inside the file is encrypted.

Description inserted by Ana Maria Niculescu on Thursday, August 30, 2012
Description updated by Andrei Gherman on Thursday, August 30, 2012

Back . . . .