We have seen members of this family claim to download the following programs:
Best Codecs Pack
When first run, Win32/Brantall retrieves a URL such as:
From this it gets instructions for what software to download and install. The instructions and software vary, and may depend on the location of your PC.
In addition to installing other software, Win32/Brantall installs itself. Most variants copy themselves to one of these locations:
It then installs itself as a service so that it runs each time you start your PC.
The service name is generally IBUpdaterService with the description Updater Service.
Downloads and updates files
Win32/Brantall periodically retrieves a URL looking for instructions to download new programs or update existing ones. Downloaded programs may be written to the %TEMP% folder with names like:
Some of the downloaded programs are encrypted, in which case Win32/Brantall writes a decrypted copy to the %TEMP% folder as well, for example component_2.decrpt. The number in the file name appears to correspond to the specific program being installed, for example component_2 is Win32/Sefnit in encrypted form and component_2.decrypt is the decrypted Win32/Sefnit executable which Win32/Brantall runs.
In addition to Win32/Sefnit, Win32/Brantall also often installs Win32/Rotbrow.
Analysis by Hamish O'Dea