Installation
This threat can be installed when you open a malicious spam email attachment.
It creates the following files on your PC:
The malware also adds a service for the dropped file with the display name Rvcrosoft Windows Genuine Updater.
It changes the following registry entry so that it runs each time you start your PC:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Update"
With data: "<malware location>", for example C:\adnim$\csrss.exe or C:\csrss.exe
The malware also tries to get access to your network shares using a combination of user names and passwords from the following:
!@#$ !@#$ !@#$% !@#$% !@#$%^ !@#$%^& !@#$%^&* !@#$%^&*( !@#$%^&*() 1 1111 111111 12 123 1234 |
12345 123456 1234567 4321 54321 654321 admin administrator angel asdf asdfg asdfgh BUMBLE db2admin mail |
mail1 mail123 mail1234 pass passwd password root root test1234 web web1 web123 web1234 ~!@#$%^&*()_+ |
If the malware is successful in gaining access to your network shares it creates a copy of itself in the following locations:
Payload
Gives a malicious hacker access to your PC
This threat can give a malicious hacker access and control of your PC. The attacker can give the malware remote commands, including to send spam emails from your PC to spread malware.
Analysis by Francis Tan Seng