WORM_BRAMBUL.FE

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It opens certain ports to access shared networks.

It does not have any backdoor routine.

It does not have any downloading capability.

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops and executes the following files:

• %System%\lsasvc.exe - damaged file

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Update = "{malware path and file name}"

Propagation

This worm opens the following ports to access shared networks:

• 445

It uses the following file names for the copies it drops into shared networks:

• %Windows%\csrss.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

Backdoor Routine

This worm does not have any backdoor routine.

Download Routine

This worm does not have any downloading capability.

Information Theft

This worm gathers the following data:

• Windows OS version
• Machine Names / IP Adresses of computers in the network
• User names and passwords of network share accounts

Drop Points

This worm sends the information it gathers to the following email addresses:

• {BLOCKED}001@gmail.com

Other Details

This worm connects to the following URL(s) to check for an Internet connection:

• http://gmail.com

NOTES:

It executes its dropped file with the following parameters:

• -i

However, the dropped file, %System%\lsasvc.exe, is damaged.

It adds the following registry entries to the target host to enable network sharing:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wglmgr
ImagePath = "cmd.exe /c \net share admin$\"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wglmgr
DisplayName = "Windows Genuine Logon Manager"

It registers itself as a system service to the target host ensure its automatic execution at every system starup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wgudtr
ImagePath = "%Windows%\csrss.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wgudtr
DisplayName = "Microsoft Windows Genuine Updater"

It sends the email by accessing the following non-malicious URLs:

• gmail-smtp-in.l.google.com
• 209.85.223.27
• 209.85.210.24
• 209.85.223.33

It crafts a packet to create an email containing the following data:

HELO google.com
MAIL FROM: {BLOCKED}03@yahoo.com
RCPT TO: {BLOCKED}001@gmail.com
DATA
From: Microsoft provider@microsoft.com
Subject: {Local IP Address}|{Host Name}|{Password} OR {Local IP Address}|
{Windows OS version}
QUIT

It uses brute force to access network sharing using the following user names and passwords:

User Names:

• administrator
• db2admin

Passwords:

• admin
• angel
• asdf
• asdfg
• asdfgh
• BUMBLE
• mail1
• mail1234
• mail
• mail123
• passwd
• pass
• password
• root
• test1234
• web123
• web1
• web1234
• web

This worm connects to randomly generated IP addresses and uses port 445 to propagate across the network.

It does not have rootkit capabilities.

It does not exploit any vulnerability.