Home / malware Win32/Brantall
First posted on 26 October 2013.
Source: MicrosoftAliases :
There are no other names known for Win32/Brantall.
Explanation :
Threat behavior
Installation
We have seen members of this family claim to download the following programs:
- 77Zip
- Best Codecs Pack
- eType
- PC Performer
- RocketPDF
- Speed Analysis
- Video Performer
When first run, Win32/Brantall retrieves a URL such as:
http://ws.smartiengine.com/installer/bootstrap.php?cmp=14&sub=2870&rkey={1234ABCD-1234-ABCD-EF01-1234ABCDEF56}
From this it gets instructions for what software to download and install. The instructions and software vary, and may depend on the location of your PC.
In addition to installing other software, Win32/Brantall installs itself. Most variants copy themselves to one of these locations:
- <commonappdata>\IBUpdaterService\ibsvc.exe
- <commonappdata>\InstallBrainService\ibsvc.exe
It then installs itself as a service so that it runs each time you start your PC.
The service name is generally IBUpdaterService with the description "Updater Service".
Payload
Downloads and updates files
Win32/Brantall periodically retrieves a URL looking for instructions to download new programs or update existing ones. Downloaded programs may be written to the %TEMP% folder with names such as:
- component_1
- component_2
- component_600
Some of the downloaded programs are encrypted, in which case Win32/Brantall writes a decrypted copy to the %TEMP% folder as well, for example component_2.decrpt. The number in the filename appears to correspond to the specific program being installed, for example "component_2" is Win32/Sefnit in encrypted form and "component_2.decrpt" is the decrypted Win32/Sefnit executable which Win32/Brantall runs.
In addition to Win32/Sefnit, Win32/Brantall often installs Win32/Rotbrow.
Analysis by Hamish O'Dea
Symptoms
Alerts from your security software may be the only symptom.
Last update 26 October 2013
