Win32/Brontok [Threat Name] go to Threat

Win32/Brontok.T [Threat Variant Name]

Category worm
Size 42065 B
Detection created Nov 21, 2005
Detection database version 1296
Aliases Email-Worm.Win32.Brontok.q (Kaspersky)
  W32/Rontokbro.gen@MM (McAfee)
  W32.Rontokbro@mm (Symantec)
Short description

Win32/Brontok.T is a worm that spreads via e-mail and shared folders.

Installation

When executed the worm copies itself in the following locations:

  • %startup%\­Empty.pif
  • %userprofile%\­Local Settings\­Application Data\­smss.exe
  • %userprofile%\­Local Settings\­Application Data\­services.exe
  • %userprofile%\­Local Settings\­Application Data\­lsass.exe
  • %userprofile%\­Local Settings\­Application Data\­inetinfo.exe
  • %userprofile%\­Local Settings\­Application Data\­csrss.exe
  • %userprofile%\­Local Settings\­Application Data\­winlogon.exe
  • %userprofile%\­Templates\­WowTumpeh.com
  • %windir%\­eksplorasi.exe
  • %windir%\­ShellNew\­bronstab.exe
  • %windir\­system32\­%username%s Setting.scr

The file is copied in the following folders as well:

  • MY DATA SOURCES
  • MY DOCUMENTS
  • MY EBOOKS
  • MY MUSIC
  • MY PICTURES
  • MY SHAPES
  • MY VIDEOS

The filename used is the same as the name of a file already present in a particular folder.


An additional ".exe" extension is appended.


In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­software\­microsoft\­windows\­currentversion\­run]
    • "Bron-Spizaetus" = "%windir%\­ShellNew\­bronstab.exe"
  • [HKEY_CURRENT_USER\­software\­microsoft\­windows\­currentversion\­run]
    • "Tok-Cirrhatus" = "%userprofile%\­Local Settings\­Application Data\­smss.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Shell]
    • "Explorer.exe" = "%windir%\­eksplorasi.exe"
  • [HKEY_CURRENT_USER\­software\­microsoft\­windows\­currentversion\­Policies\­System]
    • "DisableRegistryTools" = 1
  • [HKEY_CURRENT_USER\­software\­microsoft\­windows\­currentversion\­Policies\­System]
    • "NoFolderOptions" = 1
  • [HKEY_CURRENT_USER\­software\­microsoft\­windows\­currentversion\­Policies\­Explorer]
    • "DisableCMD" = 0
  • [HKEY_CURRENT_USER\­software\­microsoft\­windows\­currentversion\­explorer\­advanced]
    • "Hidden" = 0
  • [HKEY_CURRENT_USER\­software\­microsoft\­windows\­currentversion\­explorer\­advanced]
    • "ShowSuperHidden" = 0
  • [HKEY_CURRENT_USER\­software\­microsoft\­windows\­currentversion\­explorer\­advanced]
    • "HideFileExt" = 1

The worm schedules a task that causes the following file to be executed daily:

  • %userprofile%\­Templates\­WowTumpeh.com

The worm replaces the following file by one downloaded from the Internet:

  • %windir%\­System32\­drivers\­etc\­hosts

This blocks access to several Internet servers.


The following files are deleted:

  • folder.htt
  • IDTemplate.exe
  • jangan dibuka.exe
  • kangen.exe
  • myheart.exe
  • my heart.exe
  • untukmu.exe
  • %userprofile%\­Templates\­A.kotnorB.com
  • %userprofile%\­Templates\­bararontok.com
  • %windir%\­eksplorasi.pif
  • %windir%\­ShellNew\­ElnorB.exe
  • %windir%\­system32\­3D Animation.scr

The worm may delete various other files.

Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

  • asp
  • cfm
  • csv
  • eml
  • eml
  • htm
  • html
  • php
  • txt
  • wab

Addresses containing the following strings are avoided:

  • ...XXX
  • .@
  • .ASP
  • .EXE
  • .HTM
  • .JS
  • .PHP
  • .VBS
  • @.
  • @123
  • @ABC
  • @MAC
  • ADMIN
  • ADOBE
  • AHNLAB
  • ALADDIN
  • ALERT
  • ALWIL
  • ANTIGEN
  • APACHE
  • ARCHIEVE
  • ASDF
  • ASSOCIATE
  • AVAST
  • AVG
  • AVIRA
  • BILLING@
  • BLACK
  • BLAH
  • BLEEP
  • BUG
  • BUILDER
  • BUNTU
  • CANON
  • CILLIN
  • CISCO
  • CLICK
  • CNET
  • COMPUSE
  • COMPUTE
  • CONTOH
  • CRACK
  • DARK
  • DATABASE
  • DEMO
  • DEVELOP
  • DOMAIN
  • DOWNLOAD
  • ELECTRO
  • ELEKTRO
  • ESAFE
  • ESAVE
  • ESCAN
  • EXAMPLE
  • FEEDBACK
  • FOO@
  • FREE
  • FUCK
  • FUJI
  • FUJITSU
  • GATEWAY
  • GOOGLE
  • GRISOFT
  • GROUP
  • HACK
  • HAURI
  • HIDDEN
  • HP.
  • IBM.
  • IEEE
  • INFO@
  • INFORMA
  • INTEL.
  • IPTEK
  • KDE
  • KOMPUTER
  • LAB
  • LINUX
  • LOOKSMART
  • LOTUS
  • LUCENT
  • MACRO
  • MASTER
  • MATH
  • MICRO
  • MICROSOFT
  • MOZILLA
  • MYSQL
  • NASA
  • NETSCAPE
  • NETWORK
  • NEWS
  • NOD32
  • NOKIA
  • NORMAN
  • NORTON
  • NOVELL
  • NVIDIA
  • OPERA
  • OVERTURE
  • PANDA
  • POSTGRE
  • PROGRAM
  • PROLAND
  • PROMO
  • PROTECT
  • PROXY
  • RECIPIENT
  • REDHA
  • REGIST
  • RELAY
  • RESPONSE
  • ROBOT
  • SALES
  • SECUN
  • SECURE
  • SECURITY
  • SEKUR
  • SENIOR
  • SERVER
  • SERVICE
  • SIEMENS
  • SIERRA
  • SLACK
  • SMTP
  • SOFT
  • SOME
  • SOURCE
  • SPAM
  • SPERSKY
  • SPYW
  • STUDIO
  • SUN.
  • SUPPORT
  • SUSE
  • SYBARI
  • SYMANTEC
  • SYNDICAT
  • TELECOM
  • TEST
  • TRACK
  • TREND
  • TRUST
  • UPDATE
  • USERNAME
  • VAKSIN
  • VIRUS
  • W3.
  • WWW
  • XANDROS
  • XEROX
  • YAHOO
  • YOUR
  • ZDNET
  • ZEND
  • ZOMBIE

The sender address is one of the following:

  • Berita__XX@kafegaul.com
  • GaulNew_XX@kafegaul.com
  • HotNews_XX@playboy.com
  • Movie_XX@playboy.com

The message depends entirely on data the worm downloads from the Internet.

Spreading via shared folders

The worm searches for various shared folders.


The executables of the worm are copied there using a filename of a file already present in the folder.


An additional ".exe" extension is appended.


Alternatively, the following name may be used:

  • Data %username%.exe

It also copies itself into the root folders of removable drives.

Other information

The following text is displayed:

  • BRONTOK.A[10]
  • -- Hentikan kebobrokan di negeri ini --
  • 1. Penjarakan Koruptor, Penyelundup, Tukang Suap, & Bandar NARKOBA
  • ( Send to "NUSAKAMBANGAN")
  • 2. Stop Free Sex, Aborsi, & Prostitusi
  • ( Go To HELL )
  • 3. Stop pencemaran lingkungan, pembakaran hutan & perburuan liar.
  • 4. SAY NO TO FRUGS !!!
  • -- KIAMAT SUDAH DEKAT --
  • Terinspirasi oleh:
  • Elang Brontok (Spizaetus Cirrhatus) yang hampir punah
  • [ By: HVM31 ]
    • -- JowoBot #VM Community --
    • !!! Akan Kubuat Mereka (VM lokal yg cengeng & bodoh) Terkapar !!!

The following programs are terminated:

  • avgemc.exe
  • ccapps.exe
  • mcvsescn.exe
  • poproxy.exe
  • riyani_jangkaru.exe
  • syslove.exe
  • systray.exe
  • tskmgr.exe
  • xpshare.exe

The worm restarts the operating system if there is a window with any of the following strings in the name:

  • .EXE
  • COMMAND PROMPT
  • KILLBOX
  • LOG OFF WINDOWS
  • REGISTRY
  • SCRIPT HOST
  • SHUT DOWN
  • SYSTEM CONFIGURATION
  • TASKKILL
  • TASK KILL

The worm performs DoS attack against 2 servers.


The worm tries to download a file from the Internet. The file is then executed.

Please enable Javascript to ensure correct displaying of this content and refresh this page.