Fire Safety emails lead to Gamarue Worm (Apr 18, 2012)


SonicWALL Threat Research team discovered a new spam theme wherein Fire Saftey and Guidance notification e-mails were being sent out. This is the first time we have observed spammers employing Fire Safety spam themes to entice users in to opening a malicious attachment. The e-mail alleges to be from the Human Resources department and specifically targets company employees. The e-mail contains notice of an upcoming fire safety test and claims to have the recipient’s role attached. The zipped attachment in the email is a newer variant of Gamarue worm.

Email subjects used in this spam campaign include:

  • Fire Safety joint event
  • Counter Terrorism Safety Event
  • Enclosed Tutoring Materials
  • Instruction in Life Safety Education
  • Materials for a scheduled Public Safety event
  • Notification for a FireSafety Event
  • Public Safety Joint Event
  • Scheduled Event Notification
  • Tutoring material for a scheduled event

The body of the email is as shown below:

 --------------------------------------------------------------------- Dear Associates  It might be useful for you to know that we are having a joint event with Fire and Counter Terrorism Safety including two written tests on Friday.  Last month four in ten employees surveyed could not pass the Fire Safety test.  Each of you will find enclosed a Fire Safety Guidance and your role description. Please take a look at the enclosed materials before 17th of April.  Kind regards,  Eve Sydow Department of Human Resources ---------------------------------------------------------------------	 

The file in the zip attachment uses the following misleading icons:


It performs the following activities when executed:

  • It creates the following files:
    • %temp%msdubmnax.exe (Copy of itself) [Detected as GAV: Gamarue.F_3 (Worm)]
    • %temp%fas.exe [Detected as GAV: Winwebsec.B (Trojan)]
    • Documents and Settingsuserd12280hoey.exe [Detected as GAV: Wigon.OW_8 (Trojan)]
  • It injects msdubmnax.exe into wuauclt.exe (Windows update client) and d12280hoey.exe into svchost.exe (Host Process for Services).
  • It creates the following registry entries to ensure infection on reboot:
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun 28739 “%temp%msdubmnax.exe”
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun d12280hoey “Documents and Settingstestd12280hoey.exe”
  • It posts information to a remote C&C server and receives further instructions


  • It downloads FakeAV and sends out spam emails

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Gamarue.F_3 (Worm)
  • GAV: Winwebsec.B (Trojan)
  • GAV: Wigon.OW_8 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.