Home / malware Win32/Brambul
First posted on 12 October 2015.
Source: MicrosoftAliases :
There are no other names known for Win32/Brambul.
Explanation :
Threat behavior
Installation
This threat can be installed when you open a malicious spam email attachment.
It creates the following files on your PC:
- %SystemRoot% \admin$\csrss.exe
- %SystemRoot% \csrss.exe
The malware also adds a service for the dropped file with the display name Rvcrosoft Windows Genuine Updater.
It changes the following registry entry so that it runs each time you start your PC:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Update"
With data: "", for example C:\admin$\csrss.exe or C:\csrss.exe
The malware also tries to get access to your network shares using a combination of user names and passwords from the following:
!@#$
!@#$
!@#$%
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
!@#$%^&*(
!@#$%^&*()
1
1111
111111
12
123
1234 12345
123456
1234567
4321
54321
654321
admin
administrator
angel
asdf
asdfg
asdfgh
BUMBLE
db2admin
mail mail1
mail123
mail1234
pass
passwd
password
root
root
test1234
web
web1
web123
web1234
~!@#$%^&*()_+
If the malware is successful in gaining access to your network shares it creates a copy of itself in the following locations:
- %SystemRoot% \admin$\csrss.exe
- %SystemRoot% \csrss.exe
Payload
Gives a malicious hacker access to your PC
This threat can give a malicious hacker access and control of your PC. The attacker can give the malware remote commands, including to send spam emails from your PC to spread malware.
Analysis by Francis Tan Seng
SymptomsThe following can indicate that you have this threat on your PC:
- You have these files:
- %SystemRoot%\admin$\csrss.exe
- %SystemRoot%\csrss.exe
- You see these entries or keys in your registry:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Update"
With data: "" Last update 12 October 2015