Threat Research & Response Blog
We have seen variants of Worm:Win32/Gamarue spread via removable drives in the past, but recent variants have adopted a more convoluted method of spreading involving several components. Let's take a look at one.
For this variant of Worm:Win32/Gamarue, we start with an infected removable drive, for example a USB flash drive. Our infected example drive contains the following files:
Figure 1: Removable drive Infected with Win32/Gamarue
Let us start with the shortcut file Worm:Win32/Gamarue.gen!lnk; you will note from the image above that it shows the removable drive icon, and is typically named after the removable device and size, which is determined at the time of infection. This appears to be an attempt to trick the user into opening the shortcut.
Figure 2: Shortcut invokes the loader DLL
The file with extension ".usbdrv" in this particular case, is a DLL (detected as Worm:Win32/Gamarue.N) which is executed when the shortcut is opened.
When run, it reads the contents of file "desktop.ini", which is 32bit executable code, and proceeds to execute it.
Figure 3: 32 bit code in flat file "desktop.ini"
The code contained in "desktop.ini" first tries to download an updated copy of "Thumbs.db", replacing the existing file on the USB drive. It then decrypts the data from "Thumbs.db" and writes it to "C:\Temp\TrustedInstaller.exe".
Figure 4: "Thumbs.db" is decrypted to C:\Temp\TrustedInstaller.exe
"C:\Temp\TrustedInstaller.exe" is then executed. It performs a few actions:
Figure 5: Registry key e_magic contains another encrypted copy of TrustedInstaller.exe
The binary written to HKCU\SOFTWARE\e_magic is another encrypted version of the TrustedInstaller.exe component, which is subsequently used to infect more removable drives.
Figure 6: Registry key 0022FF03 contains data with a ZIP-like header
The data written to the registry entry HKLM\SOFTWARE\Microsoft\0022FF03 is interesting, as it contains what looks like a ZIP header at the start, but is not actually a ZIP archive.
Figure 7: Encrypted and compressed data with a ZIP-like header
The data is encrypted; after decryption it is revealed to be compressed executable code.
Figure 8: aPLib compressed executable code
The Worm:Win32/Gamarue.I component, which was dropped into the temporary folder earlier, runs the system file %System%\wuauclt.exe and injects code into that process. This injected code reads the data from the registry entry HKLM\SOFTWARE\Microsoft\0022FF03, decrypts it using a 32-byte key stored within the code, and decompresses it using the widely available aPLib compression library.
The result is the worm's spreading component: A DLL which checks for removable drives and infects them. At no point is this component written to disk.
Figure 9: Code from the spreading component DLL checking for a removable drive
So now we come to the end of our cycle; if a removable drive is found, it is infected/reinfected with the encrypted data read from the registry entry HKCU\SOFTWARE\e_magic and written to the file "thumbs.db", and the flat binary file with 32bit code is written to "desktop.ini", together with the loader DLL and a shortcut.
And thus goes the multifaceted propagation of Win32/Gamarue via removable drives using such a disjointed method one assumes in order to evade detection.
As always, safe computing and take care.
Raymond RobertsMMPC Melbourne