Follow:

 

Win32/Brantall


Microsoft security software detects and removes this threat.

This family of trojans download and install other programs. We have seen them downloading Win32/Sefnit and Win32/Rotbrow malware.

They can get on your PC by pretending to be an installer for other, legitimate programs. They might install those programs as well as other malware.

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

We have seen members of this family claim to download the following programs:

  • 77Zip
  • Best Codecs Pack
  • eType
  • PC doer
  • RocketPDF
  • Speed Analysis
  • Video doer

When first run, Win32/Brantall retrieves a URL such as:

http://ws.smartiengine.com/installer/bootstrap.php?cmp=14&sub=2870&rkey={1234ABCD-1234-ABCD-EF01-1234ABCDEF56}

From this it gets instructions for what software to download and install. The instructions and software vary, and may depend on the location of your PC.

In addition to installing other software, Win32/Brantall installs itself. Most variants copy themselves to one of these locations:

It then installs itself as a service so that it runs each time you start your PC.

The service name is generally IBUpdaterService with the description Updater Service.

Payload

Downloads and updates files

Win32/Brantall periodically retrieves a URL looking for instructions to download new programs or update existing ones. Downloaded programs may be written to the %TEMP% folder with names like:

  • component_1
  • component_2
  • component_600

Some of the downloaded programs are encrypted, in which case Win32/Brantall writes a decrypted copy to the %TEMP% folder as well, for example component_2.decrpt. The number in the file name appears to correspond to the specific program being installed, for example component_2 is Win32/Sefnit in encrypted form and component_2.decrypt is the decrypted Win32/Sefnit executable which Win32/Brantall runs.

In addition to Win32/Sefnit, Win32/Brantall also often installs Win32/Rotbrow.

Analysis by Hamish O'Dea


Symptoms

Alerts from your security software may be the only symptom.


Prevention


Alert level: Severe
This entry was first published on: Oct 25, 2013
This entry was updated on: Sep 16, 2014

This threat is also detected as:
No known aliases