Win32/Brontok [Threat Name] go to Threat

Win32/Brontok.BR [Threat Variant Name]

Category worm
Size 44401 B
Aliases Email-Worm.Win32.Brontok.q (Kaspersky)
  W32/Rontokbro.gen@MM.virus (McAfee)
  Worm:Win32/Brontok.BL@mm (Microsoft)
  W32.Rontokbro@mm (Symantec)
Short description

Win32/Brontok.BR is a worm that spreads via e-mail, shared folders and removable media. The file is run-time compressed using MEW .

Installation

When executed the worm copies itself in the following locations:

  • %localappdata%\­br%variable1%on.exe
  • %localappdata%\­csrss.exe
  • %localappdata%\­inetinfo.exe
  • %localappdata%\­lsass.exe
  • %localappdata%\­services.exe
  • %localappdata%\­smss.exe
  • %localappdata%\­winlogon.exe
  • %startup%\­Empty.pif
  • %system%\­%username%'s Setting.scr
  • %system%\­cmd-brontok.exe
  • %system%\­drivers\­etc\­hosts-Denied By-%username%.com
  • %templates%\­14004-NendangBro.com
  • %windir%\­KesenjanganSosial.exe
  • %windir%\­ShellNew\­RakyatKelaparan.exe

The worm creates the following files:

  • %localappdata%\­Kosong.Bron.Tok.txt (51 B)
  • %userprofile%\­My Pictures\­about.Brontok.A.html (1064 B)

The worm creates the following folders:

  • %localappdata%\­Ok-SendMail-Bron-tok
  • %localappdata%\­Bron.tok-16-%variable2%
  • %localappdata%\­Loc.Mail.Bron.Tok

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Bron-Spizaetus" = "%windir%\­ShellNew\­RakyatKelaparan.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurentVersion\­Winlogon]
    • "Shell" = "Explorer.exe "%windir%\­KesenjanganSosial.exe""
  • [HKEY_LOCAL_MACHINE\­System\­CurrentSontrolSet\­Control\­SafeBoot]
    • "AlternateShell" = "cmd-brontok.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Tok-Cirrhatus-%variable3%" = "%localappdata%\­br%variable1%on.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableRegistryTools" = 1
    • "DisableCMD" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoFolderOptions" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Advanced]
    • "Hidden" = 0
    • "HideFileExt" = 1
    • "ShowSuperHidden" = 0

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "LoadService" = ""
    • "CCAPPS" = ""
    • "OSA" = ""
    • "SymRun" = ""
    • "local service" = ""
    • "Security" = ""
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "LoadService" = ""
    • "CCAPPS" = ""
    • "OSA" = ""
    • "SymRun" = ""
    • "local service" = ""
    • "Security" = ""

The worm schedules a task that causes the following file to be executed daily:

  • %templates%\­14004-NendangBro.com

The worm replaces the following file by one downloaded from the Internet:

  • %windir%\­System32\­drivers\­etc\­hosts

This blocks access to several Internet servers.


The worm modifies the following file:

  • C:\­autoexec.bat

The worm writes the following entries to the file:

  • pause

The following files are deleted:

  • %system%\­ccapps.exe
  • %system%\­kangen.exe
  • %system%\­syslove.exe
  • %system%\­winword.exe
  • %windir%\­Fonts\­tskmgr.exe
  • %windir%\­rundll32.exe
  • %windir%\­Systray.exe
  • C:\­!Submit\­winword.exe
  • C:\­!Submit\­xpshare.exe
  • C:\­Windows\­Systray.exe

A string with variable content is used instead of %variable1-3% .

Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • Data %username%.exe
Spreading via e-mail

Win32/Brontok.BR is a worm that spreads via e-mail.


E-mail addresses for further spreading are searched for in local files with one of the following extensions:

  • .asp
  • .cfm
  • .csv
  • .eml
  • .htm
  • .html
  • .php
  • .txt
  • .wab

Addresses containing the following strings are avoided:

  • ..
  • .@
  • .AC.ID
  • .ASP
  • .CO.ID
  • .EXE
  • .GO.ID
  • .HTM
  • .JS
  • .MIL.ID
  • .NET.ID
  • .OR.ID
  • .PHP
  • .SCH.ID
  • .VBS
  • .WAR.NET.ID
  • .WEB.ID
  • @.
  • @123
  • @ABC
  • @MAC
  • ADMIN
  • ADOBE
  • AHNLAB
  • ALADDIN
  • ALERT
  • ALWIL
  • ANTIGEN
  • APACHE
  • ARCHIEVE
  • ASDF
  • ASSOCIATE
  • ASTAGA
  • AVAST
  • AVG
  • AVIRA
  • BILLING@
  • BLACK
  • BLAH
  • BLEEP
  • BOLEH
  • BROWSE
  • BUG
  • BUILDER
  • BUNTU
  • CANON
  • CILLIN
  • CISCO
  • CLICK
  • CNET
  • COMPUSE
  • COMPUTE
  • CONTOH
  • CRACK
  • DARK
  • DATABASE
  • DEMO
  • DEVELOP
  • DOMAIN
  • DOWNLOAD
  • ELECTRO
  • ELEKTRO
  • EMAILKU
  • ESAFE
  • ESAVE
  • ESCAN
  • EXAMPLE
  • FEEDBACK
  • FOO@
  • FREE
  • FUCK
  • FUJI
  • FUJITSU
  • GATEWAY
  • GAUL
  • GOOGLE
  • GRISOFT
  • GROUP
  • HACK
  • HAURI
  • HIDDEN
  • HP.
  • IBM.
  • IEEE
  • INDO
  • INFO@
  • INFORMA
  • INTEL.
  • IPTEK
  • KDE
  • KOMPUTER
  • LAB
  • LINUX
  • LOOKSMART
  • LOTUS
  • LUCENT
  • MACRO
  • MASTER
  • MATH
  • MICRO
  • MICROSOFT
  • MOZILLA
  • MYSQL
  • NASA
  • NETSCAPE
  • NETWORK
  • NEWS
  • NOD32
  • NOKIA
  • NORMAN
  • NORTON
  • NOVELL
  • NVIDIA
  • OPERA
  • OVERTURE
  • PANDA
  • PLASA
  • POSTGRE
  • PROGRAM
  • PROLAND
  • PROMO
  • PROTECT
  • PROXY
  • RECIPIENT
  • REDHA
  • REGIST
  • RELAY
  • RESPONSE
  • ROBOT
  • SALES
  • SATU
  • SECUN
  • SECURE
  • SECURITY
  • SEKUR
  • SENIOR
  • SERVER
  • SERVICE
  • SIEMENS
  • SIERRA
  • SLACK
  • SMTP
  • SOFT
  • SOME
  • SOURCE
  • SPAM
  • SPERSKY
  • SPYW
  • STUDIO
  • SUN.
  • SUPPORT
  • SUSE
  • SYBARI
  • SYMANTEC
  • SYNDICAT
  • TELECOM
  • TELKOM
  • TEST
  • TRACK
  • TREND
  • TRUST
  • UPDATE
  • USERNAME
  • VAKSIN
  • VIRUS
  • W3.
  • WWW
  • XANDROS
  • XEROX
  • XXX
  • YOUR
  • ZDNET
  • ZEND
  • ZOMBIE

The sender address is one of the following:

  • Photo_%variable%@friendster.com
  • PicSender_%variable%@friendster.com
  • Photo_%variable%@boleh.com
  • Galeri_%variable%@boleh.com

A string with variable content is used instead of %variable% .


The message depends entirely on data the worm downloads from the Internet.

Spreading via shared folders

The worm searches for various shared folders.


The executables of the worm are copied there using a filename of a file already present in the folder.


An additional ".exe" extension is appended.


Alternatively, the following name may be used:

  • Data %username%.exe
Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of (4) URLs. The HTTP protocol is used.


The worm tries to download a file from the Internet. The file is then executed.


The worm performs DoS attack against 2 servers.


The worm restarts the operating system if there is a window with any of the following strings in the name:

  • .EXE
  • BLEEPING
  • CLEANER
  • COMMAND PROMPT
  • FAJARWEB
  • GROUP POLICY
  • HIJACK
  • KILLBOX
  • LOG OFF WINDOWS
  • MOVZX
  • PROCESS EXP
  • REGISTRY
  • REMOVER
  • SCRIPT HOST
  • SHUT DOWN
  • SYSINTERNAL
  • SYSTEM CONFIGURATION
  • TASK KILL
  • TASKKILL

The following programs are terminated:

  • ashmaisv.exe
  • aswupdsv.exe
  • avgemc.exe
  • ccapps.exe
  • cclaw.exe
  • mcvsescn.exe
  • nipsvc.exe
  • njeeves.exe
  • nvcoas.exe
  • poproxy.exe
  • riyani_jangkaru.exe
  • syslove.exe
  • systray.exe
  • tskmgr.exe
  • xpshare.exe

The worm executes the following commands:

  • at /delete /y
  • at 17:08 /every:M,T,W,Th,F,S,Su "%templates%\­14004-NendangBro.com"
  • at 11:03 /every:M,T,W,Th,F,S,Su "%templates%\­14004-NendangBro.com"
  • ping kaskus.com -n 250 -l 747
  • ping 17tahun.com -n 250 -l 747

The worm searches for files which contain any of the following strings in their file name:

  • .DOC.EXE
  • .XLS.EXE
  • PATAH
  • HATI
  • CINTA
  • UNTUKMU
  • DATA-TEMEN
  • RIYANI
  • JANGKARU
  • KANGEN
  • JROX
  • kangen.exe
  • untukmu.exe
  • myheart.exe
  • my heart.exe
  • jangan dibuka.exe

The worm then deletes the found files.


The worm searches local drives for files with the following file extensions:

  • .pdf
  • .xls
  • .ppt

When the worm finds a file matching the search criteria, it creates a new copy of itself.


The file name and extension of the newly created file is derived from the original one. An additional ".exe" extension is appended.


The worm displays the following message:

Please enable Javascript to ensure correct displaying of this content and refresh this page.