Win32/RpcBrute [Threat Name] go to Threat

Win32/RpcBrute.C [Threat Variant Name]

Category trojan
Detection created Dec 01, 2014
Detection database version 10807
Short description

Win32/RpcBrute.C is a trojan that steals sensitive information.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­Microsoft\­Protect\­conhost.exe

The file is then executed.


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Console Protect Service" = "%appdata%\­Microsoft\­Protect\­conhost.exe"

After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP protocol is used.


It connects to remote machines in attempt to exploit the WordPress XMLRPC vulnerability.


The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services

The trojan attempts to send gathered information to a remote machine.

Please enable Javascript to ensure correct displaying of this content and refresh this page.