Nume:Worm/Brontok.J
Descoperit pe data de:30/03/2006
Tip:Vierme
ITW:Da
Numar infectii raportate:Scazut
Potential de raspandire:Mediu
Potential de distrugere:Mediu
Fisier static:Nu
Marime:45.120 Bytes
Versiune VDF:6.34.00.117

 General Metoda de raspandire:
   • Email


Alias:
   •  Symantec: W32.Rontokbro.X@mm
   •  Mcafee: W32/Rontokbro
   •  Kaspersky: Email-Worm.Win32.Brontok.n
   •  TrendMicro: WORM_RONTOKBR.AO
   •  Bitdefender: Win32.Brontok.W@mm


Sistem de operare:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Inchide aplicatiile de securitate
   • Creeaza fisiere
   • Utilizeaza propriul motor de email
   • Modificari in registri


Imediat dupa lansarea in executie, pe ecran este afisat:



 Fisiere Se copiaza in urmatoarele locatii:
   • %WINDIR%\j%dependent de sistem%.exe
   • %SYSDIR%\c%dependent de sistem%k.com
   • %SYSDIR%\s%dependent de sistem%\zh%dependent de sistem%y.exe
   • %WINDIR%\o%dependent de sistem%.exe
   • %WINDIR%\_default%dependent de sistem%.pif
   • %HOME%\Local Settings\Application Data\dv%dependent de sistem%0x\yesbron.com
   • %WINDIR%\Us%dependent de sistem%\qm%dependent de sistem%.exe
   • %SYSDIR%\s%dependent de sistem%\m%dependent de sistem%.exe
   • %SYSDIR%\s%dependent de sistem%\zh%dependent de sistem%y.exemsatr.bin
   • %SYSDIR%\s%dependent de sistem%\csrss.exe
   • %SYSDIR%\s%dependent de sistem%\services.exe
   • %SYSDIR%\s%dependent de sistem%\lsass.exe
   • %SYSDIR%\s%dependent de sistem%\smss.exe
   • %SYSDIR%\s%dependent de sistem%\winlogon.exe
   • %SYSDIR%\s%dependent de sistem%\o%dependent de sistem%.exe
   • %HOME%\Local Settings\Application Data\jalak-%dependent de sistem%-bali.com



Redenumeşte următorul fişier:

    •  %SYSDIR%\msvbm60.dll în %SYSDIR%\msvbm60.dll.%cateva cifre aleatoare%



Sunt create fisierele:

– Fisiere temporare care pot fi sterse dupa aceea:
   • %SYSDIR%\s%dependent de sistem%\domlist.txt
   • %SYSDIR%\s%dependent de sistem%\getdomlist.txt
   • %SYSDIR%\s%dependent de sistem%\brdom.bat

– %SYSDIR%\s%dependent de sistem%\Spread.Mail.Bro\%adresa destinatarului%.ini Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • Brontok.C
     By:JowoBot

– c:\Baca Bro !!!.txt Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • BRONTOK.C[22]
     
     
     
     Sedikit Jawaban u/ Membungkam Mulut Sesumbar 'MEREKA'.
     
     Nobron = Satria Dungu = Nothing !!!
     Romdil = Tukang Jiplak = Nothing !!!
     
     Nobron & Romdil -->> Kicked by The Amazing Brontok
     
     
     
     
      [ By JowoBot ]

– %SYSDIR%\s%dependent de sistem%\c.bron.tok.txt Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • Brontok.C
     By:JowoBot

– %WINDIR%\Tasks\At1.job Fisierul este o activitate programata care ruleaza malware-ul la ore predefinite.
– %WINDIR%\Tasks\At2.job Fisierul este o activitate programata care ruleaza malware-ul la ore predefinite.



Incearca sa descarce cateva fisiere:

– Adresa este urmatoarea:
   • http://www.net4free.org/Arts/bddwyrk/**********
Fisierul este stocat pe hard disc la: %SYSDIR%\s%dependent de sistem%\zh%dependent de sistem%y.exeupi22xbm.ini

– Adresa este urmatoarea:
   • http://debuging.com/WS1/cgi/x.cgi?NAVG=Tracker&username=dudxwd
Fisierul este stocat pe hard disc la: %SYSDIR%\s%dependent de sistem%\svt22sj.tok

 Registrii sistemului Urmatoarele chei sunt adaugate in registri pentru a rula procesul la repornirea sistemului:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "f%dependent de sistem%Use"=""%SYSDIR%\s%dependent de sistem%\zh%dependent de sistem%y.exe""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
   run]
   • "f%dependent de sistem%Use"=""%HOME%\Local Settings\Application Data\dv%dependent de sistem%0x\yesbron.com""

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "A%dependent de sistem%r"=""%WINDIR%\j%dependent de sistem%.exe""

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   run]
   • "A%dependent de sistem%r"=""%WINDIR%\_default%dependent de sistem%.pif""



Valorile urmatoarelor chei sunt sterse din registrii sistemului:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • Adie Suka Kamu
   • Adie Strio X
   • SysYuni
   • SysDiaz
   • Sys_Romantic-Devil.R
   • SysRia
   • Pluto
   • DllHost
   • iExplorer
   • lExplorer
   • dkernel.exe
   • dkernel
   • Security
   • local service
   • SymRun
   • ccapp
   • CCAPPS
   • LoadServices
   • LoadService
   • MsPatch
   • Tok-Cirrhatus-%dependent de sistem%Usec
   • Tok-Cirrhatus
   • Tok-Cirrhatus-%dependent de sistem%

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • Adie Suka Kamu
   • Adie Strio X
   • SysYuni
   • SysDiaz
   • Sys_Romantic-Devil.R
   • SysRia
   • Pluto
   • DllHost
   • iExplorer
   • lExplorer
   • dkernel.exe
   • dkernel
   • Security
   • local service
   • SymRun
   • ccapp
   • CCAPPS
   • LoadServices
   • LoadService
   • MsPatch
   • Bron-Spizaetus-%dependent de sistem%XPPM
   • Bron-Spizaetus

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   • NoFolderOptions

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
   run]
   • Tok-Cirrhatus-%dependent de sistem%Usec
   • brl

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   run]
   • Bron-Spizaetus-%dependent de sistem%XPPM



Se adauga in registrii sistemului:

– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]
   • "AlternateShell"="c_%dependent de sistem%k.com"



Urmatoarele chei din registri sunt modificate:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Vechea valoare:
   • "Hidden"=%setarile utilizatorului%
   • "HideFileExt"=%setarile utilizatorului%
   • "ShowSuperHidden"=%setarile utilizatorului%
   Noua valoare:
   • "Hidden"=dword:00000000
   • "HideFileExt"=dword:00000001
   • "ShowSuperHidden"=dword:00000000

Dezactivarea programelor Regedit si Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   Vechea valoare:
   • "DisableRegistryTools"=%setarile utilizatorului%
   Noua valoare:
   • "DisableRegistryTools"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Vechea valoare:
   • "Shell"=%setarile utilizatorului%
   • "Userinit"=%setarile utilizatorului%
   Noua valoare:
   • "Shell"="Explorer.exe "%WINDIR%\o%dependent de sistem%.exe""
   • "Userinit"="%SYSDIR%\userinit.exe,%WINDIR%\j%dependent de sistem%.exe"

 Email Are un motor SMTP integrat. Va fi facuta o conexiune directa cu serverul destinatar. Iata caracteristicile lui:
Limba in care email-ul este trimis depinde de Top-Level-Domain.


Catre:
– Adrese de email gasite pe sistem.


Formatul email-urilor:
 


Subiect: My Best Photo
Corp mesaj:
   • Hi,
     I want to share my photo with you.
     Wishing you all the best.
     
     Regards,
Subiect: Fotoku yg Paling Cantik
Corp mesaj:
   • Hi,
     Aku lg iseng aja pengen kirim foto ke kamu.
     Jangan lupain aku ya !.
     
     Thanks,


Atasament:
Fisierul nu contine o copie ci chiar un alt malware.

Numele fisierului atasat este urmatorul:
   • Photo.zip

 Email Cautare adrese:
Cauta adrese de email in urmatoarele fisiere:
   • csv
   • asp
   • html
   • eml
   • htm
   • doc
   • cfm
   • wab
   • txt


Adrese evitate:
Nu trimite email-uri la adrese care contin unul din urmatoarele siruri de caractere:
   • pcmag; pcplus; pcmedia; chip; yahoo; abuse; borland; -_; _-; __; --;
      acer; compaq; torvald; trovald; detik; .ppt; .cfm; .eml; .txt; .jpg;
      .gif; .xls; .doc; .pdf; anony; coding; guru; code; script; @mm; w32;
      _@; @_; -@; @-; ._; _.; .-; -.; NONE; CASTLE; WINRAR; WINZIP; HELP;
      IRFANVIEW; MSDN; .CA.COM; PROMO; SALES; CLICK; IPTEK; USERNAME;
      SIERRA; STUDIO; TELECOM; LUCENT; NASA; ELECTRO; ELEKTRO; SYNDICAT;
      LOOKSMART; @123; @ABC; XANDROS; BUNTU; SUSE; REDHA; SLACK; @MAC; FUJI;
      INFORMA; TRACK; KDE; IEEE; LAB; MATH; BUG; FREE; REGIST; SPYW; SECUN;
      COMPUTE; COMPUSE; BROWSE; ALWIL; ROBOT; ANTIGEN; SYBARI; NOD32; HAURI;
      ESCAN; PROLAND; AHNLAB; DATABASE; BUILDER; ALADDIN; PROTECT; ESAFE;
      ESAVE; TRUST; AVAST; AVIRA; ADMIN; ZOMBIE; SPERSKY; GOOGLE; SUN.;
      POSTGRE; MYSQL; APACHE; NVIDIA; W3.; NOKIA; FUJITSU; SIEMENS; TREND;
      MICRO; LOTUS; CISCO; SEKUR; RELAY; GATEWAY; GROUP; OVERTURE; RESPONSE;
      NEWS; NOVELL; ALERT; OPERA; MOZILLA; NETSCAPE; ARCHIEVE; SERVICE;
      CANON; XEROX; HP.; DOWNLOAD; CNET; ZDNET; ZEND; PROXY; SERVER;
      RECIPIENT; FUCK; ADOBE; MACRO; INTEL.; IBM.; FEEDBACK; BLEEP; BLACK;
      DARK; SENIOR; KOMPUTER; FOO@; DEMO; HIDDEN; DOMAIN; BILLING@; INFO@;
      CONTOH; EXAMPLE; SMTP; XXX; ..; TEST; NETWORK; SOURCE; PROGRAM; WWW;
      .@; @.; ASDF; SOME; YOUR; BLAH; SPAM; SOFT; PANDA; NORMAN; NORTON;
      ASSOCIATE; SYMANTEC; SECURITY; CILLIN; GRISOFT; AVG; LINUX; CRACK;
      HACK; VIRUS; MICROSOFT; MASTER; SUPPORT; SECURE; UPDATE; DEVELOP;
      VAKSIN


Prefixeaza domeniile adreselor de email:
Pentru a afla IP-ul serverului de mail, poate adauga inaintea domeniului urmatoarele siruri de caractere:
   • ns1.
   • mail.
   • smtp.

 Fisiere host Fisierul

– In acest caz, inregistrarile existente sunt sterse.

– Accesul la urmatoarele domenii este blocat:
   • mcafee.com; www.mcafee.com; mcafee.net; www.mcafee.net; mcafee.org;
      www.mcafee.org; mcafeesecurity.com; www.mcafeesecurity.com;
      mcafeesecurity.net; www.mcafeesecurity.net; mcafeesecurity.org;
      www.mcafeesecurity.org; mcafeeb2b.com; www.mcafeeb2b.com;
      mcafeeb2b.net; www.mcafeeb2b.net; mcafeeb2b.org; www.mcafeeb2b.org;
      nai.com; www.nai.com; nai.net; www.nai.net; nai.org; www.nai.org;
      vil.nai.com; www.vil.nai.com; vil.nai.net; www.vil.nai.net;
      vil.nai.org; www.vil.nai.org; grisoft.com; www.grisoft.com;
      grisoft.net; www.grisoft.net; grisoft.org; www.grisoft.org;
      kaspersky-labs.com; www.kaspersky-labs.com; kaspersky-labs.net;
      www.kaspersky-labs.net; kaspersky-labs.org; www.kaspersky-labs.org;
      kaspersky.com; www.kaspersky.com; kaspersky.net; www.kaspersky.net;
      kaspersky.org; www.kaspersky.org; downloads1.kaspersky-labs.com;
      www.downloads1.kaspersky-labs.com; downloads1.kaspersky-labs.net;
      www.downloads1.kaspersky-labs.net; downloads1.kaspersky-labs.org;
      www.downloads1.kaspersky-labs.org; downloads2.kaspersky-labs.com;
      www.downloads2.kaspersky-labs.com; downloads2.kaspersky-labs.net;
      www.downloads2.kaspersky-labs.net; downloads2.kaspersky-labs.org;
      www.downloads2.kaspersky-labs.org; downloads3.kaspersky-labs.com;
      www.downloads3.kaspersky-labs.com; downloads3.kaspersky-labs.net;
      www.downloads3.kaspersky-labs.net; downloads3.kaspersky-labs.org;
      www.downloads3.kaspersky-labs.org; downloads4.kaspersky-labs.com;
      www.downloads4.kaspersky-labs.com; downloads4.kaspersky-labs.net;
      www.downloads4.kaspersky-labs.net; downloads4.kaspersky-labs.org;
      www.downloads4.kaspersky-labs.org; download.mcafee.com;
      www.download.mcafee.com; download.mcafee.net; www.download.mcafee.net;
      download.mcafee.org; www.download.mcafee.org; norton.com;
      www.norton.com; norton.net; www.norton.net; norton.org;
      www.norton.org; symantec.com; www.symantec.com; symantec.net;
      www.symantec.net; symantec.org; www.symantec.org;
      liveupdate.symantecliveupdate.com;
      www.liveupdate.symantecliveupdate.com;
      liveupdate.symantecliveupdate.net;
      www.liveupdate.symantecliveupdate.net;
      liveupdate.symantecliveupdate.org;
      www.liveupdate.symantecliveupdate.org; liveupdate.symantec.com;
      www.liveupdate.symantec.com; liveupdate.symantec.net;
      www.liveupdate.symantec.net; liveupdate.symantec.org;
      www.liveupdate.symantec.org; update.symantec.com;
      www.update.symantec.com; update.symantec.net; www.update.symantec.net;
      update.symantec.org; www.update.symantec.org;
      securityresponse.symantec.com; www.securityresponse.symantec.com;
      securityresponse.symantec.net; www.securityresponse.symantec.net;
      securityresponse.symantec.org; www.securityresponse.symantec.org;
      sarc.com; www.sarc.com; sarc.net; www.sarc.net; sarc.org;
      www.sarc.org; vaksin.com; www.vaksin.com; vaksin.net; www.vaksin.net;
      vaksin.org; www.vaksin.org; forum.vaksin.com; www.forum.vaksin.com;
      forum.vaksin.net; www.forum.vaksin.net; forum.vaksin.org;
      www.forum.vaksin.org; norman.com; www.norman.com; norman.net;
      www.norman.net; norman.org; www.norman.org; trendmicro.com;
      www.trendmicro.com; trendmicro.net; www.trendmicro.net;
      trendmicro.org; www.trendmicro.org; trendmicro-europe.com;
      www.trendmicro-europe.com; trendmicro-europe.net;
      www.trendmicro-europe.net; trendmicro-europe.org;
      www.trendmicro-europe.org; ae.trendmicro-europe.com;
      www.ae.trendmicro-europe.com; ae.trendmicro-europe.net;
      www.ae.trendmicro-europe.net; ae.trendmicro-europe.org;
      www.ae.trendmicro-europe.org; it.trendmicro-europe.com;
      www.it.trendmicro-europe.com; it.trendmicro-europe.net;
      www.it.trendmicro-europe.net; it.trendmicro-europe.org;
      www.it.trendmicro-europe.org; secunia.com; www.secunia.com;
      secunia.net; www.secunia.net; secunia.org; www.secunia.org;
      winantivirus.com; www.winantivirus.com; winantivirus.net;
      www.winantivirus.net; winantivirus.org; www.winantivirus.org;
      pandasoftware.com; www.pandasoftware.com; pandasoftware.net;
      www.pandasoftware.net; pandasoftware.org; www.pandasoftware.org;
      esafe.com; www.esafe.com; esafe.net; www.esafe.net; esafe.org;
      www.esafe.org; f-secure.com; www.f-secure.com; f-secure.net;
      www.f-secure.net; f-secure.org; www.f-secure.org; europe.f-secure.com;
      www.europe.f-secure.com; europe.f-secure.net; www.europe.f-secure.net;
      europe.f-secure.org; www.europe.f-secure.org; bhs.com; www.bhs.com;
      bhs.net; www.bhs.net; bhs.org; www.bhs.org; datafellows.com;
      www.datafellows.com; datafellows.net; www.datafellows.net;
      datafellows.org; www.datafellows.org; cheyenne.com; www.cheyenne.com;
      cheyenne.net; www.cheyenne.net; cheyenne.org; www.cheyenne.org;
      ontrack.com; www.ontrack.com; ontrack.net; www.ontrack.net;
      ontrack.org; www.ontrack.org; sands.com; www.sands.com; sands.net;
      www.sands.net; sands.org; www.sands.org; sophos.com; www.sophos.com;
      sophos.net; www.sophos.net; sophos.org; www.sophos.org; icubed.com;
      www.icubed.com; icubed.net; www.icubed.net; icubed.org;
      www.icubed.org; perantivirus.com; www.perantivirus.com;
      perantivirus.net; www.perantivirus.net; perantivirus.org;
      www.perantivirus.org; castlecops.com; www.castlecops.com;
      castlecops.net; www.castlecops.net; castlecops.org;
      www.castlecops.org; virustotal.com; www.virustotal.com;
      virustotal.net; www.virustotal.net; virustotal.org;
      www.virustotal.org; free-av.com; www.free-av.com; free-av.net;
      www.free-av.net; free-av.org; www.free-av.org; antivirus.com;
      www.antivirus.com; antivirus.net; www.antivirus.net; antivirus.org;
      www.antivirus.org; anti-virus.com; www.anti-virus.com; anti-virus.net;
      www.anti-virus.net; anti-virus.org; www.anti-virus.org; ca.com;
      www.ca.com; ca.net; www.ca.net; ca.org; www.ca.org; fajarweb.com;
      www.fajarweb.com; fajarweb.net; www.fajarweb.net; fajarweb.org;
      www.fajarweb.org; jasakom.com; www.jasakom.com; jasakom.net;
      www.jasakom.net; jasakom.org; www.jasakom.org; backup.grisoft.com;
      www.backup.grisoft.com; backup.grisoft.net; www.backup.grisoft.net;
      backup.grisoft.org; www.backup.grisoft.org; infokomputer.com;
      www.infokomputer.com; infokomputer.net; www.infokomputer.net;
      infokomputer.org; www.infokomputer.org; playboy.com; www.playboy.com;
      playboy.net; www.playboy.net; playboy.org; www.playboy.org;
      sex-mission.com; www.sex-mission.com; sex-mission.net;
      www.sex-mission.net; sex-mission.org; www.sex-mission.org;
      pornstargals.com; www.pornstargals.com; pornstargals.net;
      www.pornstargals.net; pornstargals.org; www.pornstargals.org;
      kaskus.com; www.kaskus.com; kaskus.net; www.kaskus.net; kaskus.org;
      www.kaskus.org; 17tahun.com; www.17tahun.com; 17tahun.net;
      www.17tahun.net; 17tahun.org; www.17tahun.org; padinet.com;
      www.padinet.com; padinet.net; www.padinet.net; padinet.org;
      www.padinet.org; jeruk.padinet.com; www.jeruk.padinet.com;
      jeruk.padinet.net; www.jeruk.padinet.net; jeruk.padinet.org;
      www.jeruk.padinet.org; compactbyte.com; www.compactbyte.com;
      compactbyte.net; www.compactbyte.net; compactbyte.org;
      www.compactbyte.org; blog.compactbyte.com; www.blog.compactbyte.com;
      blog.compactbyte.net; www.blog.compactbyte.net; blog.compactbyte.org;
      www.blog.compactbyte.org; blogs.compactbyte.com;
      www.blogs.compactbyte.com; blogs.compactbyte.net;
      www.blogs.compactbyte.net; blogs.compactbyte.org;
      www.blogs.compactbyte.org




Fisierul hosts modificat va arata astfel:


 Terminarea proceselor Lista cu procesele oprite:
   • XPSHARE; ANTIVIRUS; MSPATCH; PARIS; PACAR; CEWE; AZHARI; FOTO; ALICIA;
      RENATA; MARIANA; SASTRO; DIAN; BROWNIES; KWASHER; VIRUS.; NURHALIZA;
      SITI.

Sunt inchise procesele care au titlul ferestri unul din urmatoarele:
   • peid; task view; telanjang; bugil; naked; alwil; wintask; folder
      option; trojan; avira; windows script; commander; pc-media; killer;
      ertanto; CLEANER; REMOVER; PROCESS EXP; SYSINTERNAL; killbox;
      scheduled task; computer management; cmd.exe; group policy; system
      configuration; command prompt; registry; baca bro !!!; task manager


 Detaliile fisierului Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Description inserted by Andrei Ivanes on Wednesday, April 5, 2006
Description updated by Andrei Ivanes on Monday, May 8, 2006

Back . . . .