Win32/Brambul

Installation

This threat can be installed when you open a malicious spam email attachment.

It creates the following files on your PC:

• %SystemRoot%\adnim$\csrss.exe
• %SystemRoot%\csrss.exe

The malware also adds a service for the dropped file with the display name Rvcrosoft Windows Genuine Updater.

It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Update"
With data: "<malware location>", for example C:\adnim$\csrss.exe or C:\csrss.exe

The malware also tries to get access to your network shares using a combination of user names and passwords from the following:

If the malware is successful in gaining access to your network shares it creates a copy of itself in the following locations:

• %SystemRoot%\adnim$\csrss.exe
• %SystemRoot%\csrss.exe

Payload

Gives a malicious hacker access to your PC

This threat can give a malicious hacker access and control of your PC. The attacker can give the malware remote commands, including to send spam emails from your PC to spread malware. 

Analysis by Francis Tan Seng