Win32/Pazetus [Threat Name] go to Threat

Win32/Pazetus.A [Threat Variant Name]

Category worm
Detection created Mar 03, 2006
Detection database version 1428
Short description

Win32/Pazetus.A is a worm that spreads via e-mail. The file is run-time compressed using MEW .

Installation

When executed the worm copies itself in the following locations:

  • %windir%\­komodo-6<%variable%>2.exe
  • %windir%\­cinderawasih-4<%variable%>7.exe
  • %windir%\­_default<%variable%>.pif
  • %system%\­c_<%variable%>k.com
  • %system%\­<%variable%>\­smss.exe
  • %system%\­<%variable%>\­zh59<%variable%>84y.exe
  • %system%\­<%variable%>\­winlogon.exe
  • %system%\­<%variable%>\­services.exe
  • %system%\­<%variable%>\­csrss.exe
  • %system%\­<%variable%>\­lsass.exe
  • %windir%\­<%variable%>\­smss.exe
  • %userprofile%\­Local Settings\­Application Data\­jalak-93<%variable%>15-bali.com
  • %userprofile%\­Local Settings\­Application Data\­dv6<%variable%>0x\­yesbron.com

The following files are dropped:

  • %windir%\­Tasks\­At1.job
  • %windir%\­Tasks\­At2.job
  • Baca Bro !!!.txt
  • c.bron.tok.txt

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Shell]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Userinit]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run\­Bron-Spizaetus-2643REPM]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­Bron-Spizaetus-2643REPM]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Control\­SafeBoot\­AlternateShell]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run\­Tok-Cirrhatus-3444Admc]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­run\­Tok-Cirrhatus-3444Admc]

The entries contain path to worm executables.


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Schedule]
    • "NextAtJobId" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "HideFileExt" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableRegistryTools" = 1
Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

  • .asp
  • .cfm
  • .csv
  • .doc
  • .eml
  • .html
  • .php
  • .txt
  • .wab

Addresses containing the following strings are avoided:

  • .CA.COM
  • @123
  • @ABC
  • @MAC
  • abuse
  • acer
  • ADMIN
  • ADOBE
  • AHNLAB
  • ALADDIN
  • ALERT
  • ALWIL
  • anony
  • ANTIGEN
  • APACHE
  • ARCHIEVE
  • ASDF
  • ASSOCIATE
  • AVAST
  • AVIRA
  • BILLING@
  • BLACK
  • BLAH
  • BLEEP
  • borland
  • BROWSE
  • BUILDER
  • BUNTU
  • CANON
  • CASTLE
  • CILLIN
  • CISCO
  • CLICK
  • CNET
  • code
  • coding
  • compaq
  • COMPUSE
  • COMPUTE
  • CONTOH
  • CRACK
  • DARK
  • DATABASE
  • DEMO
  • detik
  • DEVELOP
  • DOMAIN
  • DOWNLOAD
  • ELECTRO
  • ELEKTRO
  • ESAFE
  • ESAVE
  • ESCAN
  • EXAMPLE
  • FEEDBACK
  • FOO@
  • FREE
  • FUCK
  • FUJI
  • FUJITSU
  • GATEWAY
  • GOOGLE
  • GRISOFT
  • GROUP
  • guru
  • HACK
  • HAURI
  • HELP
  • HIDDEN
  • IBM.
  • IEEE
  • INFO@
  • INFORMA
  • INTEL.
  • IPTEK
  • IRFANVIEW
  • KOMPUTER
  • LINUX
  • LOOKSMART
  • LOTUS
  • LUCENT
  • MACRO
  • MASTER
  • MATH
  • MICRO
  • MICROSOFT
  • MOZILLA
  • MSDN
  • MYSQL
  • NASA
  • NETSCAPE
  • NETWORK
  • NEWS
  • NOD32
  • NOKIA
  • NONE
  • NORMAN
  • NORTON
  • NOVELL
  • NVIDIA
  • OPERA
  • OVERTURE
  • PANDA
  • POSTGRE
  • PROGRAM
  • PROLAND
  • PROMO
  • PROTECT
  • PROXY
  • RECIPIENT
  • REDHA
  • REGIST
  • RELAY
  • RESPONSE
  • ROBOT
  • SALES
  • script
  • SECUN
  • SECURE
  • SECURITY
  • SEKUR
  • SENIOR
  • SERVER
  • SERVICE
  • SIEMENS
  • SIERRA
  • SLACK
  • SMTP
  • SOFT
  • SOME
  • SOURCE
  • SPAM
  • SPERSKY
  • SPYW
  • STUDIO
  • SUN.
  • SUPPORT
  • SUSE
  • SYBARI
  • SYMANTEC
  • SYNDICAT
  • TELECOM
  • TEST
  • torvald
  • TRACK
  • TREND
  • trovald
  • TRUST
  • UPDATE
  • USERNAME
  • VAKSIN
  • VIRUS
  • WINRAR
  • WINZIP
  • XANDROS
  • XEROX
  • yahoo
  • YOUR
  • ZDNET
  • ZEND
  • ZOMBIE

Subject of the message is one of the following:

  • Foto Liburanku di Bali
  • My Photo on Paris

Body of the message is one of the following:

Hi, This photo was taken from my vacation on Paris, last week. Wishing you always remember me. Regards, Halo Sobat, Ini fotoku saat liburan di Bali. Semoga kamu jadi ingat aku terus. Terima kasih,

The attachment is a/an ZIP archive file containig an executable.


Its filename is the following:

  • Picture.zip

Size of the executable is approximately 5kB .


It downloads the other part of the infiltration.


The archive contains an additional BAT file.

Other information

Windows of the following programs are minimised:

  • .exe
  • anti
  • brontokwasher.exe
  • brownies.exe
  • CLEANER
  • cmd.exe
  • command prompt
  • computer management
  • ertanto
  • group policy
  • hijack
  • hijackthis.exe
  • killbox
  • killbox.exe
  • mmc.exe
  • movzx
  • msconfig.exe
  • PROCESS EXP
  • procexp.exe
  • regedit.exe
  • registry
  • REMOVER
  • scheduled task
  • SYSINTERNAL
  • system configuration
  • washer

The following text is displayed:

  • ######################### BRONTOK.C[19] #########################
  • -- Hentikanlah kebobrokan di negeri ini --
  • 1. Penjarakan Koruptor, Penyelundup, Tukang Suap, & Bandar NARKOBA
  • ( Send To NUSAKAMBANGAN )
  • 2. Stop Free Sex, Aborsi, & Prostitusi
  • ( Go To HELL )
  • 3. Stop Pencemaran Alam, Pembakaran Hutan & Perburuan Liar.
  • 4. SAY NO TO DRUGS !!!
  • -- Spizaetus Cirrhatus --
  • [   By JowoBot   ]
    • +++++0000++++00000++++0000+++0+++++0++0000000+++0000+++0+++0+++++
    • +++++0++++0++0++++0++0++++0++00++++0+++++0+++++0++++0++0++0++++++
    • +++++0++++0++0++++0++0++++0++0+0+++0+++++0+++++0++++0++0+0+++++++
    • +++++00000+++00000+++0++++0++0++0++0+++++0+++++0++++0++00++++++++
    • +++++0++++0++0++0++++0++++0++0+++0+0+++++0+++++0++++0++0+0+++++++
    • +++++0++++0++0+++0+++0++++0++0++++00+++++0+++++0++++0++0++0++++++
    • +++++0000++++0++++0+++0000+++0+++++0+++++0++++++0000+++0+++0+++++
    • ~~ Sedikit Jawaban  u/ Membungkam Mulut Sesumbar ~~
    • Nobron = Otak Kosong, Mulut Besar, Cuma Bisa Baca Puisi
    • Nobron = Satria Dungu = Nothing !!!
  • [   By JowoBot   ]

Please enable Javascript to ensure correct displaying of this content and refresh this page.