Home / malware W32.Brambul
First posted on 13 May 2015.
Source: SymantecAliases :
There are no other names known for W32.Brambul.
Explanation :
When the worm is executed, it scans random IP addresses and uses the following user names and passwords to try to connect to them through the Server Message Block (SMB) Protocol:
User names administratordb2admin
Passwords password1123456654321passtest1234admin!@#$%root!@#$passwdangelBUMBLEasdfasdfgasdfgh1212312341234512345675432143211111111111!@#$%^!@#$%^&!@#$%^&*!@#$%^&*(!@#$%^&*()~!@#$%^&*()_+webmailweb1web123web1234mail1mail123mail1234[USER NAME]![USER NAME]!@@[USER NAME]!@@[USER NAME]@[USER NAME]1[USER NAME]12[USER NAME]123[USER NAME]2[USER NAME]!@#$
If the worm successfully connects to these IP addresses, it creates an admin share and copies itself to the targeted computer under the following file name: %Windir%.crss.exe
The worm also creates the following file: %System%\lsasvc.exe
The worm then creates the following registry entries: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows Update" = "[PATH TO MALWARE]" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wglmgr\"ImagePath" = "cmd.exe /c "net share admin$"" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wglmgr\"DisplayName" = "Windows Genuine Logon Manager" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wgudtr\"ImagePath" = "%SystemRoot%\csrss.exe" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wgudtr\"DisplayName" = "Microsoft Windows Genuine Updater"
The worm then sends an email to whiat1001@gmail.com with the following system information:
Compromised computer's IP addressOS versionIP address of the remote computer that dropped the wormUser name and password used to connect to the compromised computer's IP addressLast update 13 May 2015