Installation
This threat can be installed when you open a malicious spam email attachment.
It creates the following files on your PC:
The malware also adds a service for the dropped file with the display name Rvcrosoft Windows Genuine Updater.
It changes the following registry entry so that it runs each time you start your PC:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Update"
With data: "<malware location>", for example C:\adnim$\csrss.exe or C:\csrss.exe
The malware also tries to get access to your network shares using a combination of user names and passwords from the following:
!@#$
!@#$
!@#$%
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
!@#$%^&*(
!@#$%^&*()
1
1111
111111
12
123
1234 |
12345
123456
1234567
4321
54321
654321
admin
administrator
angel
asdf
asdfg
asdfgh
BUMBLE
db2admin
mail |
mail1
mail123
mail1234
pass
passwd
password
root
root
test1234
web
web1
web123
web1234
~!@#$%^&*()_+ |
If the malware is successful in gaining access to your network shares it creates a copy of itself in the following locations:
Payload
Gives a malicious hacker access to your PC
This threat can give a malicious hacker access and control of your PC. The attacker can give the malware remote commands, including to send spam emails from your PC to spread malware.
Analysis by Francis Tan Seng
