Win32/Brontok [Threat Name] go to Threat
Win32/Brontok.T [Threat Variant Name]
| Category | worm |
| Size | 42065 B |
| Detection created | Nov 21, 2005 |
| Detection database version | 1296 |
| Aliases | Email-Worm.Win32.Brontok.q (Kaspersky) |
| W32/Rontokbro.gen@MM (McAfee) | |
| W32.Rontokbro@mm (Symantec) |
Short description
Win32/Brontok.T is a worm that spreads via e-mail and shared folders.
Installation
When executed the worm copies itself in the following locations:
- %startup%\Empty.pif
- %userprofile%\Local Settings\Application Data\smss.exe
- %userprofile%\Local Settings\Application Data\services.exe
- %userprofile%\Local Settings\Application Data\lsass.exe
- %userprofile%\Local Settings\Application Data\inetinfo.exe
- %userprofile%\Local Settings\Application Data\csrss.exe
- %userprofile%\Local Settings\Application Data\winlogon.exe
- %userprofile%\Templates\WowTumpeh.com
- %windir%\eksplorasi.exe
- %windir%\ShellNew\bronstab.exe
- %windir\system32\%username%s Setting.scr
The file is copied in the following folders as well:
- MY DATA SOURCES
- MY DOCUMENTS
- MY EBOOKS
- MY MUSIC
- MY PICTURES
- MY SHAPES
- MY VIDEOS
The filename used is the same as the name of a file already present in a particular folder.
An additional ".exe" extension is appended.
In order to be executed on every system start, the worm sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
- "Bron-Spizaetus" = "%windir%\ShellNew\bronstab.exe"
- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
- "Tok-Cirrhatus" = "%userprofile%\Local Settings\Application Data\smss.exe"
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell]
- "Explorer.exe" = "%windir%\eksplorasi.exe"
- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Policies\System]
- "DisableRegistryTools" = 1
- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Policies\System]
- "NoFolderOptions" = 1
- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Policies\Explorer]
- "DisableCMD" = 0
- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced]
- "Hidden" = 0
- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced]
- "ShowSuperHidden" = 0
- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced]
- "HideFileExt" = 1
The worm schedules a task that causes the following file to be executed daily:
- %userprofile%\Templates\WowTumpeh.com
The worm replaces the following file by one downloaded from the Internet:
- %windir%\System32\drivers\etc\hosts
This blocks access to several Internet servers.
The following files are deleted:
- folder.htt
- IDTemplate.exe
- jangan dibuka.exe
- kangen.exe
- myheart.exe
- my heart.exe
- untukmu.exe
- %userprofile%\Templates\A.kotnorB.com
- %userprofile%\Templates\bararontok.com
- %windir%\eksplorasi.pif
- %windir%\ShellNew\ElnorB.exe
- %windir%\system32\3D Animation.scr
The worm may delete various other files.
Spreading via e-mail
E-mail addresses for further spreading are searched for in local files with one of the following extensions:
- asp
- cfm
- csv
- eml
- eml
- htm
- html
- php
- txt
- wab
Addresses containing the following strings are avoided:
- ...XXX
- .@
- .ASP
- .EXE
- .HTM
- .JS
- .PHP
- .VBS
- @.
- @123
- @ABC
- @MAC
- ADMIN
- ADOBE
- AHNLAB
- ALADDIN
- ALERT
- ALWIL
- ANTIGEN
- APACHE
- ARCHIEVE
- ASDF
- ASSOCIATE
- AVAST
- AVG
- AVIRA
- BILLING@
- BLACK
- BLAH
- BLEEP
- BUG
- BUILDER
- BUNTU
- CANON
- CILLIN
- CISCO
- CLICK
- CNET
- COMPUSE
- COMPUTE
- CONTOH
- CRACK
- DARK
- DATABASE
- DEMO
- DEVELOP
- DOMAIN
- DOWNLOAD
- ELECTRO
- ELEKTRO
- ESAFE
- ESAVE
- ESCAN
- EXAMPLE
- FEEDBACK
- FOO@
- FREE
- FUCK
- FUJI
- FUJITSU
- GATEWAY
- GRISOFT
- GROUP
- HACK
- HAURI
- HIDDEN
- HP.
- IBM.
- IEEE
- INFO@
- INFORMA
- INTEL.
- IPTEK
- KDE
- KOMPUTER
- LAB
- LINUX
- LOOKSMART
- LOTUS
- LUCENT
- MACRO
- MASTER
- MATH
- MICRO
- MICROSOFT
- MOZILLA
- MYSQL
- NASA
- NETSCAPE
- NETWORK
- NEWS
- NOD32
- NOKIA
- NORMAN
- NORTON
- NOVELL
- NVIDIA
- OPERA
- OVERTURE
- PANDA
- POSTGRE
- PROGRAM
- PROLAND
- PROMO
- PROTECT
- PROXY
- RECIPIENT
- REDHA
- REGIST
- RELAY
- RESPONSE
- ROBOT
- SALES
- SECUN
- SECURE
- SECURITY
- SEKUR
- SENIOR
- SERVER
- SERVICE
- SIEMENS
- SIERRA
- SLACK
- SMTP
- SOFT
- SOME
- SOURCE
- SPAM
- SPERSKY
- SPYW
- STUDIO
- SUN.
- SUPPORT
- SUSE
- SYBARI
- SYMANTEC
- SYNDICAT
- TELECOM
- TEST
- TRACK
- TREND
- TRUST
- UPDATE
- USERNAME
- VAKSIN
- VIRUS
- W3.
- WWW
- XANDROS
- XEROX
- YAHOO
- YOUR
- ZDNET
- ZEND
- ZOMBIE
The sender address is one of the following:
- Berita__XX@kafegaul.com
- GaulNew_XX@kafegaul.com
- HotNews_XX@playboy.com
- Movie_XX@playboy.com
The message depends entirely on data the worm downloads from the Internet.
Spreading via shared folders
The worm searches for various shared folders.
The executables of the worm are copied there using a filename of a file already present in the folder.
An additional ".exe" extension is appended.
Alternatively, the following name may be used:
- Data %username%.exe
It also copies itself into the root folders of removable drives.
Other information
The following text is displayed:
- BRONTOK.A[10]
- -- Hentikan kebobrokan di negeri ini --
- 1. Penjarakan Koruptor, Penyelundup, Tukang Suap, & Bandar NARKOBA
- ( Send to "NUSAKAMBANGAN")
- 2. Stop Free Sex, Aborsi, & Prostitusi
- ( Go To HELL )
- 3. Stop pencemaran lingkungan, pembakaran hutan & perburuan liar.
- 4. SAY NO TO FRUGS !!!
- -- KIAMAT SUDAH DEKAT --
- Terinspirasi oleh:
- Elang Brontok (Spizaetus Cirrhatus) yang hampir punah
- [ By: HVM31 ]
- -- JowoBot #VM Community --
- !!! Akan Kubuat Mereka (VM lokal yg cengeng & bodoh) Terkapar !!!
The following programs are terminated:
- avgemc.exe
- ccapps.exe
- mcvsescn.exe
- poproxy.exe
- riyani_jangkaru.exe
- syslove.exe
- systray.exe
- tskmgr.exe
- xpshare.exe
The worm restarts the operating system if there is a window with any of the following strings in the name:
- .EXE
- COMMAND PROMPT
- KILLBOX
- LOG OFF WINDOWS
- REGISTRY
- SCRIPT HOST
- SHUT DOWN
- SYSTEM CONFIGURATION
- TASKKILL
- TASK KILL
The worm performs DoS attack against 2 servers.
The worm tries to download a file from the Internet. The file is then executed.