Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:30/08/2012
Type:Backdoor Server
In the wild:No
Reported Infections:High
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:58.368 Bytes
MD5 checksum:3CCFB3CA8C0AAAA4E93856BC79570106
VDF version:
IVDF version:

 General Method of propagation:
   • Email

   •  Microsoft: Win32/Gamarue.I

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Third party control
   • Lowers security settings
   • Registry modification

 Files It drops copies of itself using a filename from lists
– To: C:\Documents and Settings\All Users Using one of the following names:
   • svchost.exe

– To: %ALLUSERSPROFILE%\Local Settings\Temp Using one of the following names:
   • %random character string%.bat
   • %random character string%.pif
   • %random character string%.scr
   • %random character

 Registry To each registry key one of the values is added in order to run the processes after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "SunJavaUpdateSched"="%ALLUSERSPROFILE%\svchost.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   • "%number%"="%ALLUSERSPROFILE%\Local Settings\Temp\%random character string%.pif"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   • "%number%"="%ALLUSERSPROFILE%\Local Settings\Temp\%random character string%.bat"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   • "%number%"="%ALLUSERSPROFILE%\Local Settings\Temp\%random character string%.scr"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   • "%number%"="%ALLUSERSPROFILE%\Local Settings\Temp\%random character"

 Email It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:

The sender address is spoofed.
The sender of the email is the following:

The following:
   • Your friend wants to share photos and updates with you

– Contains HTML code.
The body of the email is the following:

   • One of your friends wants to share photos and updates with you.
     One of your friends has invited you to Facebook. After you sign up, you'll be able to stay connected with friends by sharing photos and videos, posting status updates, sending messages and more.

The filename of the attachment is:

The attachment is an archive containing a copy of the malware itself.

The email looks like the following:

 Backdoor The following port is opened:

– %ALLUSERSPROFILE%\svchost.exe on TCP port 8000 in order to provide a remote Shell.

Contact server:
The following:
   • http://stripe**********image.php

Once connected it will retrieve an additional list of servers.
As a result it may send information and remote control could be provided.

Sends information about:
    • Current malware status
    • Username

 Injection – It injects itself into a process.

    Process name:
   • %SYSDIR%\wuauclt.exe

 File details Programming language:
The malware program was written in MS Visual C++.

Encrypted - The virus code inside the file is encrypted.

Description inserted by Ana Maria Niculescu on Thursday, August 30, 2012
Description updated by Andrei Gherman on Thursday, August 30, 2012

Back . . . .