W32/Brepibot.AB!bdr

description-logoAnalysis

This Trojan is another minor variant of the BrepiBot backdoor Trojan family.

This Trojan may be received in an email message as an attachment, possibly named "Suspects Photo.exe" or similarly named file. If it is run, it will install itself locally to the System32 folder as "csrnvrt.exe" -

c:\WINNT\system32\csrnvrt.exe

The Trojan then creates an entry in the system registry with the following modification -

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"DriverModule" = csrnvrt.exe
HKLM\Software\Microsoft\Windows\CurrentVersion
\Run
"DriverModule" = csrnvrt.exe

The Trojan waits for the system to restart or for another user to log off and back on before attempting to perform any actions. After the Trojan loads on restart of Windows, it may invoke an instruction in a hidden command shell to allow itself to run using "netsh". The instruction tells the Windows firewall application to allow "csrnvrt.exe" to run without being hindered, or alerting.

The Trojan will also function as a backdoor server, and IRC bot. It will respond to instructions sent to it such as these -

raw
uptime
delete
execute

recommended-action-logoRecommended Action


    FortiGate systems:
  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option
    FortiClient systems:
  • Quarantine/Delete infected files detected

Telemetry logoTelemetry