A new version of the file infector Gate.Worm has been detected by security researchers and a few samples of the malware have been spotted in the wild. The Gate.Worm infector is similar to a variant of the parasitic virus “Obfuscated-FBU!hb” which was first seen in 2013 but with some differences. The old version implemented file extension checks to infect just the files they want. However, as per security researchers, the new variant infects every file on the current folder. The Gate.Worm creators also no longer implements the persistence mechanism via RUN key and it no longer implements file extensions checks to infect just certain files, instead the new variant infects every file on the current folder. The one addition is the IsDebuggerPresent check, commonly used to prevent the malware file from being debugged by researchers.
Source:
SC Magazine
Team Cymru
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Postal address
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street
Port Louis