Home / malwarePDF  

Win32/Brambul


First posted on 12 October 2015.
Source: Microsoft

Aliases :

There are no other names known for Win32/Brambul.

Explanation :

Threat behavior

Installation

This threat can be installed when you open a malicious spam email attachment.

It creates the following files on your PC:

  • %SystemRoot% \admin$\csrss.exe
  • %SystemRoot% \csrss.exe


The malware also adds a service for the dropped file with the display name Rvcrosoft Windows Genuine Updater.

It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Update"
With data: "", for example C:\admin$\csrss.exe or C:\csrss.exe

The malware also tries to get access to your network shares using a combination of user names and passwords from the following:

!@#$
!@#$
!@#$%
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
!@#$%^&*(
!@#$%^&*()
1
1111
111111
12
123
1234 12345
123456
1234567
4321
54321
654321
admin
administrator
angel
asdf
asdfg
asdfgh
BUMBLE
db2admin
mail mail1
mail123
mail1234
pass
passwd
password
root
root
test1234
web
web1
web123
web1234
~!@#$%^&*()_+

If the malware is successful in gaining access to your network shares it creates a copy of itself in the following locations:

  • %SystemRoot% \admin$\csrss.exe
  • %SystemRoot% \csrss.exe


Payload

Gives a malicious hacker access to your PC

This threat can give a malicious hacker access and control of your PC. The attacker can give the malware remote commands, including to send spam emails from your PC to spread malware.



Analysis by Francis Tan Seng

SymptomsThe following can indicate that you have this threat on your PC:
  • You have these files:

    • %SystemRoot%\admin$\csrss.exe
    • %SystemRoot%\csrss.exe
  • You see these entries or keys in your registry:

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Windows Update"
    With data: ""

Last update 12 October 2015

 

TOP