A new version of the file infector Gate.Worm has been identified by McAfee, luckily only a few samples of the malware have been spotted in the wild.
Six examples have been found and McAfee is still trying to determine if these are simply the result of a leak, which could indicate that the malware is still under construction and not ready for prime time.
This Gate.Worm infector is similar to a variant of the parasitic virus “Obfuscated-FBU!hb” which was first seen in 2013, but with several new twists, the company said.
“The old version implemented file extension checks to infect just the files they want. However, in the new variant they infect every file on the current folder,” Jorge Arias, Anti-Malware Security Researcher with McAfee Labs, told SCMagazine in an email Friday.
The Gate.Worm creators also no longer implements the persistence mechanism via RUN key and it no longer implements file extensions checks to infect just certain files, instead the new variant infects every file on the current folder, Arias said.
The one addition is the IsDebuggerPresent check, commonly used to prevent the malware file from being debugged by researchers.
The McAfee team is not certain what group has brought back this infector nor exactly what it will be used for. McAfee found one sign in Gate.Worm pointing to SecurityGate.ru group, which is known to test antivirus software against malware, but this could also just be camouflage being used to put researchers on the wrong track.
Exactly what Gate.Worm will be used for is also up for debate.
“It’s not clear to say whether its intentions would be to be destructive or ransomware related but it’s possible. One purpose could also be data stealing. Some AV companies may replicate samples and then share them or some people may upload them to VirusTotal,” Arias said.
Virustotal is a free service that analyzes suspicious files and URLs.
However, Arias said that since Gate.Worm does not have the ability upload targeted files it is not fully formed yet.
Fortunately, this malware has no network capabilities nor does it infect external drives. The only option to spread this malware is for victims to directly download and execute it or to manually copy an infected sample to an external drive and execute it on another system, the blog said.