Win32/Brontok [Threat Name] go to Threat

Win32/Brontok.A [Threat Variant Name]

Category virus,worm
Size 81920 B
Aliases Email-Worm.Win32.Brontok.a (Kaspersky)
  W32/Rontokbro.b@MM (McAfee)
  W32.Rontokbro.B@mm (Symantec)
Short description

Win32/Brontok.A is a worm that spreads via e-mail and shared folders.

Installation

The worm copies itself to the following locations:

  • %userprofile%\­Local Settings\­Application Data\­winlogon.exe
  • %userprofile%\­Local Settings\­Application Data\­services.exe
  • %userprofile%\­Local Settings\­Application Data\­lsass.exe
  • %userprofile%\­Local Settings\­Application Data\­inetinfo.exe
  • %userprofile%\­Local Settings\­Application Data\­csrss.exe
  • %userprofile%\­Local Settings\­Application Data\­smss.exe
  • %userprofile%\­Local Settings\­Application Data\­IDTemplate.exe
  • %userprofile%\­Start Menu\­Programs\­Startup\­Empty.pif
  • %system%\­3D Animation.scr
  • %windir%\­Inf\­norBtok.exe

Several other copies are saved in the %system% folder.


The filenames may vary.


The worm creates the following folders:

  • %userprofile%\­Local Settings\­Application Data\­Ok-SendMail-Bron-tok
  • %userprofile%\­Local Settings\­Application Data\­Bron.tok-3.'1,2,3...'
  • %userprofile%\­Local Settings\­Application Data\­BRONTOK
  • %userprofile%\­Local Settings\­Application Data\­Loc.Mail.Bron.Tok

The worm creates the following files:

  • %userprofile%\­Local Settings\­Application Data\­Kosong.Bron.Tok.txt
  • %userprofile%\­Local Settings\­Application Data\­BronFoldNetDomList.txt

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Bron-Spizaetus" = "%windir%\­Inf\­norBtok.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Tok-Cirrhatus" = "%userprofile%\­Local Settings\­Application Data\­smss.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoFolderOptions" = "1"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­explorer\­advanced]
    • "Hidden" = "0"
    • "ShowSuperHidden" = "0"
    • "HideFileExt" = "1"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableRegistryTools" = "1"
    • "DisableCMD" = "0"
Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

  • .asp
  • .cfm
  • .csv
  • .doc
  • .eml
  • .htm
  • .html
  • .php
  • .txt
  • .wab

Addresses containing the following strings are avoided:

  • .AC.ID
  • .ASP
  • .CO.ID
  • .EXE
  • .GO.ID
  • .HTM
  • .JS
  • .MIL.ID
  • .NET.ID
  • .OR.ID
  • .PHP
  • .SCH.ID
  • .WAR.NET.ID
  • .WEB.ID
  • ADMIN
  • ADOBE
  • AHNLAB
  • ALADDIN
  • ALERT
  • ALWI
  • ANTIGEN
  • APACHE
  • ARCHIEVE
  • ASDF
  • ASSOCIATE
  • ASTAGA
  • AVAST
  • AVG
  • AVIRA
  • BILLING@
  • BLACK
  • BLAH
  • BLEEP
  • BOLEH
  • BUILDER
  • CANON
  • CENTER
  • CILLIN
  • CISCO
  • CMD.
  • CNET
  • COMMAND
  • CONTOH
  • CONTROL
  • CRACK
  • DARK
  • DATABASE
  • DEMO
  • DETIK
  • DEVELOP
  • DOMAIN
  • DOWNLOAD
  • EMAILKU
  • ESAFE
  • ESAVE
  • ESCAN
  • EXAMPLE
  • FEEDBACK
  • FIREWALL
  • FOO@
  • FUCK
  • FUJITSU
  • GATEWAY
  • GAUL
  • GOOGLE
  • GRISOFT
  • GROUP
  • HACK
  • HAURI
  • HIDDEN
  • HOTMAIL
  • HP.
  • IBM.
  • INDO
  • INFO@
  • INTEL.
  • KOMPUTER
  • LINUX
  • LOTUS
  • MACRO
  • MALWARE
  • MASTER
  • MCAFEE
  • MICRO
  • MICROSOFT
  • MOZILLA
  • MSN.
  • MSNSC
  • MYSQL
  • NETSCAPE
  • NETWORK
  • NEWS
  • NOD32
  • NOKIA
  • NORMAN
  • NORTON
  • NOVELL
  • NVIDIA
  • OPERA
  • OVERTURE
  • PANDA
  • PATCH
  • PLASA
  • POSTGRE
  • PROGRAM
  • PROLAND
  • PROMPT
  • PROTECT
  • PROXY
  • RECIPIENT
  • REGISTRY
  • RELAY
  • RESPONSE
  • ROBOT
  • SATU
  • SCAN
  • SEARCH R
  • SECURE
  • SECURITY
  • SEKUR
  • SENIOR
  • SERVER
  • SERVICE
  • SES_ID
  • SESSIO
  • SIEMENS
  • SOFT
  • SOME
  • SOPHOS
  • SOURCE
  • SPAM
  • SPERSKY
  • SUN.
  • SUPPORT
  • SYBARI
  • SYMANTEC
  • TELKOM
  • TEST
  • TREND
  • TRUST
  • UPDATE
  • UTILITY
  • VAKSIN
  • VBS
  • VIRUS
  • W3.
  • W3.ORG
  • XEROX
  • ZDNET
  • ZEND
  • ZOMBIE

Some of the following strings may be used to form the sender address:

  • Berita_
  • GaulNews_
  • HotNews_
  • Movie_
  • @kafegaul.com
  • @pornstargals.com

Subject of the message is empty.


Body of the message is the following:

  • BRONTOK.A
  • -- Hentikan kebobrokan di negeri ini --
  • 1. Adili Koruptor, Penyelundup, Tukang Suap, Penjudi, & Bandar NARKOBA
  • ( Send to "NUSAKAMBANGAN")
  • 2. Stop Free Sex, Absorsi, & Prostitusi
  • 3. Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar.
  • 4. SAY NO TO DRUGS !!!
  • -- KIAMAT SUDAH DEKAT --
  • Terinspirasi oleh:
  • Elang Brontok (Spizaetus Cirrhatus) yang hampir punah
  • [ By: HVM31 ]
    • -- JowoBot #VM Community --

The attachment is an executable of the worm.


Its filename is the following:

  • kangen.exe
Spreading via shared folders

The worm creates the following shared folders (folder/share name):

  • %userprofile%\­My Documents\­MY DATA SOURCES
  • %userprofile%\­My Documents\­MY EBOOKS
  • %userprofile%\­My Documents\­MY MUSIC
  • %userprofile%\­My Documents\­MY PICTURES
  • %userprofile%\­My Documents\­MY SHAPES
  • %userprofile%\­My Documents\­MY VIDEOS

The executables of the worm are copied there using the following name:

  • kangen.exe

The worm tries to copy itself into shared folders of machines on a local network.

Other information

The worm may attempt to perform a DoS attack on the following server(s):

  • israel.gov.il
  • playboy.com

The worm may perform operating system restart.

Please enable Javascript to ensure correct displaying of this content and refresh this page.