WORM_BRAMBUL.AB
Troj/Brambul-A (Sophos), W32/Bagz.E!worm (Fortinet), Email-Worm.Win32.Atak (Ikarus), Trojan:Win32/Brambul.A (Microsoft), Win32/Pepex.E worm (NOD32)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Propagates via network shares
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
57,345 bytes
EXE
07 Nov 2012
Connects to URLs/IPs
Arrival Details
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This worm drops the following copies of itself into the affected system and executes them:
- %System%\lsasvc.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\Microsoft\Windows\
CurrentVersion\Run
Windows Update = "%System%\lsasvc.exe"
Drop Points
This worm sends the information it gathers to the following email addresses:
- {BLOCKED}t1001@gmail.com
Other Details
This worm connects to the following URL(s) to check for an Internet connection:
- http://gmail.com
It connects to the following possibly malicious URL:
- {BLOCKED}.{BLOCKED}.223.33
- {BLOCKED}.{BLOCKED}.210.24
- {BLOCKED}.{BLOCKED}.223.27
- {BLOCKED}mtp-in.l.google.com
NOTES:
This worm adds the following registry entries to the target host to enable network sharing:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wglmgr
ImagePath = "cmd.exe /c \ "net share admin$\""
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wglmgr
DisplayName = "Windows Genuine Logon Manager"