TheMalwareMaster

Level 20
Verified
Trusted
Good morning.. Today, I want to share with you a strange experience I had yesterday with Microsoft security software. A user of my home pc received a spam email containing a zipped worm. She tried to download the file, but she got two warnings: one from Edge (something like: this file can be dangerous for your computer) and an other from Defender, Which found malware and removed it. When I came at the pc infact, I found "Worm Gamarue" in WD detected items, but there were few strange facts: 1 the zip file was still in the download folder. I removed it without checking if the malware was still inside. 2 In the details of the worm gamarue, WD was indicating three files in appdata local instead of the malware inside the zip. Strange because the malware wasn't executed. I re-download the file to investigate in the same computer, and I got no notifications. Edge was asking if I wanted to open the zip file, and Defender was silent. I uploaded the zip file to Virus Total and there were 6-7 detection, but I decided to upload also the tiny js file of only 20 kbytes in it. In a rush, instead of extracting the malware, I executed it by mistake... No notifications by defender, UAC or smartscreen. I decided to immediatly switch of the router and the computer.. I switch the computer back on again without Internet connection and Defender caught worm gamarue and a trojan (probably dropped by the worm). Since there were no strange processes in memory, I turned the router on back again and run some scans. HMP found some malware in appdata local, not active (detected only by hitman pro engine). I scanner with defender that area and It was able to find the same threats and remove them. Malwarebytes didn't find anything. I decided to make a clean install of Windows on that PC. It seemed that everything was safe. Data was left untouched (I had a backup anyway) and no account were compromised. My question is: why in the first time both smartscreen and Defender blocked the malware on download, and When I tried again to download it It wasn't blocked by Edge and Defender let me execute it, and it was removed only after system restart? When the file was downloaded the fist time I wasn't using the computer, but the Edge notification prevented the user from even opening the zip file, so I'm sure the first time wasn't executed.
 
Last edited:

_CyberGhosT_

Level 53
Verified
Trusted
Content Creator
This is indeed very strange behavior for Edge, Defender and UAC, to clearly eliminate some ideas and narrow it down, knowing what settings UAC and Defender were set to at the time would have helped a lot.
Did you look up the charistics of the worm in question ? and you mention that it dropped a trojan, which one ? The trojan may have seemed inactive but may have at that time already done what it was configured
or scripted to do so was actually "spent", Its a good thing you did a fresh install of windows that was a spot on call on your part. It would have been nice to see some logs from that infection. The cause
of some of the odd behavior could be that there was more dropped onto the system that made some changes to the security software, but at this point that would be strictly speculation seeing we cant
comb through the logs.
Thanks for sharing this ;)
 

TheMalwareMaster

Level 20
Verified
Trusted
Both Windows defender and UAC were at default settings. I can't remember the name of the trojan because I made a fresh install of Windows and I reset the router. The strange fact is that the first time the file was blocked on download and didn't even execute. So system Shouldn't have been modified in any way
 

_CyberGhosT_

Level 53
Verified
Trusted
Content Creator
Both Windows defender and UAC were at default settings. I can't remember the name of the trojan because I made a fresh install of Windows and I reset the router. The strange fact is that the first time the file was blocked on download and didn't even execute. So system Shouldn't have been modified in any way
not necessarily, your going by what was detected, and without the logs you have to assume theres a good chance there was a thing or two not caught or detected,
you know this or I would assume that based on that user name :p
I am very surprised that when your curiosity kicked in you didnt virtualize this and play with it that way, you
stood to learn far more. When you accidently activated the script was that the worm, or an unassociated script ?
 
Last edited:

_CyberGhosT_

Level 53
Verified
Trusted
Content Creator
I'm Going to re-download the file in my virtual machine in order to find more information..
There ya go, hey also after posting I looked up the charistics of that particular worm and MS says one of its main functions is to change security settings
Link: Win32/Gamarue
so I wasnt far off the mark, but be careful for what may be packed in there with it, and remember it may not execute the same if it is aware its being played with within a Virtual environment. ;)
 

TheMalwareMaster

Level 20
Verified
Trusted
remember it may not execute the same if it is aware its being played with within a Virtual environment. ;)
I recognise my mistake, I have been a malware hub member per some time and never infected host machines. I was told the malware wasn't executed ( I was not using the computer that time), because Edge blocked the file (no option to open the zip) and there was a Windows defender detection. So I don't understand how this was able to modify the system. Maybe it could have auto-executed itself?
 

_CyberGhosT_

Level 53
Verified
Trusted
Content Creator
I recognise my mistake, I have been a malware hub member per some time and never infected host machines. I was told the malware wasn't executed ( I was not using the computer that time), because Edge blocked the file (no option to open the zip) and there was a Windows defender detection. So I don't understand how this was able to modify the system. Maybe it could have auto-executed itself?
Almost 100% positive that it or something packed or dropped did. See the thing to do in a rare situation like that where you accidently activated it would have been to save every log that system could produce and comb through it to actually see what it was doing. I don't participate in the HUB, but I would have wondered the effect of my error and wanted to know the damage, its facinating :)
I know you get the "cause & Effect" point i am making.
Keep us informed if you do re-download it, I just hope its not VM aware.
PS: I am not judging you for the mistake either, I just want to make that clear now.
Mistakes are what we do best, were human after all ;)
 

_CyberGhosT_

Level 53
Verified
Trusted
Content Creator

TheMalwareMaster

Level 20
Verified
Trusted
Yesterday Microsoft had a signature for those files called with random numbers into Appdata/local/temp. I probably understood: the first time the file was executed somehow (even if I wasn't told this way) and Defender blocked those files, which were about to be executed by ntvdm.exe. I think it went this way because Microsoft doesn't have any signature for the js file