BKDR_BRAMBUL.TPR
Backdoor:Win32/Brambul.A (Microsoft)
Windows
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
18,977 bytes
EXE
No
28 Feb 2013
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Other System Modifications
This backdoor adds the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SharedAccess\Parameters\
FirewallPolicy\FirewallRules
TCP Query User{random}{malware path}\{malware name} = "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App={malware path}\{malware name}|Name={malware base name}|Desc={malware base name}|Defer=User|"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SharedAccess\Parameters\
FirewallPolicy\FirewallRules
UDP Query User{random}{malware path}\{malware name} = "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App={malware path}\{malware name}|Name={malware base name}|Desc={malware base name}|Defer=User|"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path}\{malware name} = "{malware path}\{malware name}:*:Enabled:{malware base name}"