Win32/Pazetus [Threat Name] go to Threat
Win32/Pazetus.A [Threat Variant Name]
| Category | worm |
Short description
Win32/Pazetus.A is a worm that spreads via e-mail. The file is run-time compressed using MEW .
Installation
When executed the worm copies itself in the following locations:
- %windir%\komodo-6<%variable%>2.exe
- %windir%\cinderawasih-4<%variable%>7.exe
- %windir%\_default<%variable%>.pif
- %system%\c_<%variable%>k.com
- %system%\<%variable%>\smss.exe
- %system%\<%variable%>\zh59<%variable%>84y.exe
- %system%\<%variable%>\winlogon.exe
- %system%\<%variable%>\services.exe
- %system%\<%variable%>\csrss.exe
- %system%\<%variable%>\lsass.exe
- %windir%\<%variable%>\smss.exe
- %userprofile%\Local Settings\Application Data\jalak-93<%variable%>15-bali.com
- %userprofile%\Local Settings\Application Data\dv6<%variable%>0x\yesbron.com
The following files are dropped:
- %windir%\Tasks\At1.job
- %windir%\Tasks\At2.job
- Baca Bro !!!.txt
- c.bron.tok.txt
In order to be executed on every system start, the worm sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Bron-Spizaetus-2643REPM]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus-2643REPM]
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell]
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus-3444Admc]
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Tok-Cirrhatus-3444Admc]
The entries contain path to worm executables.
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule]
- "NextAtJobId" = 3
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "HideFileExt" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "Hidden" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "ShowSuperHidden" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
- "DisableRegistryTools" = 1
Spreading via e-mail
E-mail addresses for further spreading are searched for in local files with one of the following extensions:
- .asp
- .cfm
- .csv
- .doc
- .eml
- .html
- .php
- .txt
- .wab
Addresses containing the following strings are avoided:
- .CA.COM
- @123
- @ABC
- @MAC
- abuse
- acer
- ADMIN
- ADOBE
- AHNLAB
- ALADDIN
- ALERT
- ALWIL
- anony
- ANTIGEN
- APACHE
- ARCHIEVE
- ASDF
- ASSOCIATE
- AVAST
- AVIRA
- BILLING@
- BLACK
- BLAH
- BLEEP
- borland
- BROWSE
- BUILDER
- BUNTU
- CANON
- CASTLE
- CILLIN
- CISCO
- CLICK
- CNET
- code
- coding
- compaq
- COMPUSE
- COMPUTE
- CONTOH
- CRACK
- DARK
- DATABASE
- DEMO
- detik
- DEVELOP
- DOMAIN
- DOWNLOAD
- ELECTRO
- ELEKTRO
- ESAFE
- ESAVE
- ESCAN
- EXAMPLE
- FEEDBACK
- FOO@
- FREE
- FUCK
- FUJI
- FUJITSU
- GATEWAY
- GRISOFT
- GROUP
- guru
- HACK
- HAURI
- HELP
- HIDDEN
- IBM.
- IEEE
- INFO@
- INFORMA
- INTEL.
- IPTEK
- IRFANVIEW
- KOMPUTER
- LINUX
- LOOKSMART
- LOTUS
- LUCENT
- MACRO
- MASTER
- MATH
- MICRO
- MICROSOFT
- MOZILLA
- MSDN
- MYSQL
- NASA
- NETSCAPE
- NETWORK
- NEWS
- NOD32
- NOKIA
- NONE
- NORMAN
- NORTON
- NOVELL
- NVIDIA
- OPERA
- OVERTURE
- PANDA
- POSTGRE
- PROGRAM
- PROLAND
- PROMO
- PROTECT
- PROXY
- RECIPIENT
- REDHA
- REGIST
- RELAY
- RESPONSE
- ROBOT
- SALES
- script
- SECUN
- SECURE
- SECURITY
- SEKUR
- SENIOR
- SERVER
- SERVICE
- SIEMENS
- SIERRA
- SLACK
- SMTP
- SOFT
- SOME
- SOURCE
- SPAM
- SPERSKY
- SPYW
- STUDIO
- SUN.
- SUPPORT
- SUSE
- SYBARI
- SYMANTEC
- SYNDICAT
- TELECOM
- TEST
- torvald
- TRACK
- TREND
- trovald
- TRUST
- UPDATE
- USERNAME
- VAKSIN
- VIRUS
- WINRAR
- WINZIP
- XANDROS
- XEROX
- yahoo
- YOUR
- ZDNET
- ZEND
- ZOMBIE
Subject of the message is one of the following:
- Foto Liburanku di Bali
- My Photo on Paris
Body of the message is one of the following:
The attachment is a/an ZIP archive file containig an executable.
Its filename is the following:
- Picture.zip
Size of the executable is approximately 5kB .
It downloads the other part of the infiltration.
The archive contains an additional BAT file.
Other information
Windows of the following programs are minimised:
- .exe
- anti
- brontokwasher.exe
- brownies.exe
- CLEANER
- cmd.exe
- command prompt
- computer management
- ertanto
- group policy
- hijack
- hijackthis.exe
- killbox
- killbox.exe
- mmc.exe
- movzx
- msconfig.exe
- PROCESS EXP
- procexp.exe
- regedit.exe
- registry
- REMOVER
- scheduled task
- SYSINTERNAL
- system configuration
- washer
The following text is displayed:
- ######################### BRONTOK.C[19] #########################
- -- Hentikanlah kebobrokan di negeri ini --
- 1. Penjarakan Koruptor, Penyelundup, Tukang Suap, & Bandar NARKOBA
- ( Send To NUSAKAMBANGAN )
- 2. Stop Free Sex, Aborsi, & Prostitusi
- ( Go To HELL )
- 3. Stop Pencemaran Alam, Pembakaran Hutan & Perburuan Liar.
- 4. SAY NO TO DRUGS !!!
- -- Spizaetus Cirrhatus --
- [ By JowoBot ]
- +++++0000++++00000++++0000+++0+++++0++0000000+++0000+++0+++0+++++
- +++++0++++0++0++++0++0++++0++00++++0+++++0+++++0++++0++0++0++++++
- +++++0++++0++0++++0++0++++0++0+0+++0+++++0+++++0++++0++0+0+++++++
- +++++00000+++00000+++0++++0++0++0++0+++++0+++++0++++0++00++++++++
- +++++0++++0++0++0++++0++++0++0+++0+0+++++0+++++0++++0++0+0+++++++
- +++++0++++0++0+++0+++0++++0++0++++00+++++0+++++0++++0++0++0++++++
- +++++0000++++0++++0+++0000+++0+++++0+++++0++++++0000+++0+++0+++++
- ~~ Sedikit Jawaban u/ Membungkam Mulut Sesumbar ~~
- Nobron = Otak Kosong, Mulut Besar, Cuma Bisa Baca Puisi
- Nobron = Satria Dungu = Nothing !!!
- [ By JowoBot ]