contagio malware exchange: 004 - Crime - Worm Gamarue.F or Yakes - Web - Worm

About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.

Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.

With just strings, not exactly a fun blog to read but might become s useful resource over time.

I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find

P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Tuesday, March 6, 2012

004 - Crime - Worm Gamarue.F or Yakes - Web - Worm - Feb 2012

MD5: c8cc880f91c832bc7c432507f7ca56d6

Download (pass infected)

Name worm Gamarue.F
Category Crime
type worm?
vector Web drive by
Sample credit anonymous
File date: 2012-02-02

C&C
Domains do not resolve at the moment
business.greatespnjob.com
toptours.grantandamy.net
c388env.grasaker.se
touchme.graymalkin.us
ns1.afraid.org

strings

v'@.
XPTPSW
KERNEL32.DLL
ADVAPI32.DLL
USER32.DLL
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
RegCloseKey
GetMenu

Unicode Strings:
---------------------------------------------------------------------------
VS_VERSION_INFO
StringFileInfo
040904b0
Comments
CompanyName
Foxit Corporation
FileDescription
Foxit Reader 5.0, Best Reader for Everyday Use!
FileVersion
5, 0, 2, 0718
InternalName
Foxit Reader.exe
LegalCopyright
Copyright (C) 2009-2011 Foxit Corporation
LegalTrademarks
OriginalFilename
Foxit Reader.EXE
PrivateBuild
ProductName
Foxit Reader
ProductVersion
5, 0, 2, 0718
SpecialBuild
VarFileInfo

VirustotalDetection ratio:     33 / 43
Analysis date:     2012-03-07 04:27:15 UTC ( 0 minutes ago )
0
0
Antivirus     Result     Update
AhnLab-V3     Trojan/Win32.Jorik     20120307
AntiVir     Worm/Gamarue.F.6     20120306
Antiy-AVL     Trojan/Win32.Yakes.gen     20120305
Avast     Win32:Rootkit-gen [Rtk]     20120306
AVG     Generic26.CNIK     20120306
BitDefender     Trojan.Generic.KDV.524519     20120307
ByteHero     -     20120305
CAT-QuickHeal     Trojan.Yakes.oqs     20120307
ClamAV     -     20120306
Commtouch     -     20120307
Comodo     TrojWare.Win32.Trojan.Agent.Gen     20120306
DrWeb     Trojan.DownLoader5.42407     20120307
Emsisoft     Trojan.Win32.Yakes!IK     20120307
eSafe     -     20120305
eTrust-Vet     -     20120306
F-Prot     -     20120306
F-Secure     Trojan.Generic.KDV.524519     20120306
Fortinet     W32/Yakes.OQS!tr     20120305
GData     Trojan.Generic.KDV.524519     20120306
Ikarus     Trojan.Win32.Yakes     20120307
Jiangmin     Trojan/Generic.wzzm     20120301
K7AntiVirus     Trojan     20120306
Kaspersky     Trojan.Win32.Yakes.oqs     20120306
McAfee     Generic.tfr!br     20120307
McAfee-GW-Edition     Generic.tfr!br     20120307
Microsoft     Worm:Win32/Gamarue.F     20120307
NOD32     a variant of Win32/Kryptik.ZXP     20120306
Norman     W32/Suspicious_Gen4.IAZE     20120304
nProtect     Trojan.Generic.KDV.524519     20120306
Panda     Generic Trojan     20120307
PCTools     -     20120228
Prevx     -     20120307
Rising     -     20120306
Sophos     Troj/Bredo-QG     20120307
SUPERAntiSpyware     Heur.Agent/Gen-FakeFoxit     20120307
Symantec     Trojan.Gen     20120305
TheHacker     Posible_Worm32     20120306
TrendMicro     TROJ_GEN.R3EC7B4     20120306
TrendMicro-HouseCall     TROJ_GEN.R3EC7B4     20120307
VBA32     Trojan.Yakes.oqs     20120306
VIPRE     Trojan.Win32.Generic!BT     20120307
ViRobot     -     20120307
VirusBuster     Trojan.Yakes!krnc77DoB8w     20120307