Full description

Virus:	Worm/VB.ay.2
Date discovered:	05/10/2005
Type:	Worm
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Medium
Damage Potential:	Medium
Static file:	Yes
File size:	81.920 Bytes
MD5 checksum:	902792c0116adf49f55f111e82c81db0
VDF version:	6.32.00.60

General Method of propagation:
   • Email
   • Local network

Aliases:
   • Symantec: W32.Rontokbro.B@mm
   • Mcafee: W32/Rontokbro.b@MM
   • Kaspersky: Email-Worm.Win32.Brontok.a
   • TrendMicro: WORM_RONTOKBRO.B
   • Sophos: W32/Brontok-B
   • Grisoft: I-Worm/VB.DV
   • VirusBuster: I-Worm.Brontok.AO
   • Eset: Win32/Brontok.B
   • Bitdefender: Win32.Brontok.A@mm

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads a malicious file
   • Uses its own Email engine
   • Registry modification

Files It copies itself to the following locations:
   • %HOME%\Local Settings\Application Data\csrss.exe
   • %HOME%\Local Settings\Application Data\inetinfo.exe
   • %HOME%\Local Settings\Application Data\lsass.exe
   • %HOME%\Local Settings\Application Data\services.exe
   • %HOME%\Local Settings\Application Data\smss.exe
   • %WINDIR%\INF\norBtok.exe
   • %ALLUSERSPROFILE%\Templates\A.kotnorB.com

It overwrites a file.
– %system drive root%\autoexec.bat

With the following contents:
   • pause

The following file is created:

– %WINDIR%\Tasks\At1 Furthermore it gets executed after it was fully created. File is a scheduled task that runs the malware at predefined times.

It tries to download a file:

– The location is the following:
   • http://www.geocities.com/jowobot456/**********
At the time of writing this file was not online for further investigation. Used to hide a process.

Registry The following registry keys are added in order to run the processes after reboot:

– HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • "Tok-Cirrhatus"="%HOME%\Local Settings\Application Data\smss.exe"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "Bron-Spizaetus"="%WINDIR%\INF\norBtok.exe"

The following registry keys are changed:

Disable Regedit and Task Manager:
– HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
   Old value:
   • "DisableCMD"=%user defined settings%
   • "DisableRegistryTools"=%user defined settings%
   New value:
   • "DisableCMD"=dword:00000000
   • "DisableRegistryTools"=dword:00000001

Various Explorer settings:
– HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
   Old value:
   • "NoFolderOptions"=%user defined settings%
   New value:
   • "NoFolderOptions"=dword:00000001

Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

From:
The sender address is spoofed.

To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)

Subject:
The subject line is empty.

Body:
The body of the email is the following:

   • BRONTOK.A [ By: HVM64 -- JowoBot &VM Community ]
     -- Hentikan kebobrokan di negeri ini --
     1. Adili Koruptor, Penyelundup, Tukang Suap, Penjudi, & Bandar NARKOBA
     ( Send to "NUSAKAMBANGAN")
     2. Stop Free Sex, Absorsi, & Prostitusi
     3. Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar.
     4. SAY NO TO DRUGS !!!
     -- KIAMAT SUDAH DEKAT --
     Terinspirasi oleh: Elang Brontok (Spizaetus Cirrhatus) yang hampir punah[ By: HVM64]
     -- JowoBot &VM Community --

Attachment:
The filename of the attachment is:
   • Kangen.exe

The attachment is a copy of the malware itself.

Mailing Search addresses:
It searches the following files for email addresses:
   • .HTM
   • .HTML
   • .TXT
   • .EML
   • .WAB
   • .ASP
   • .PHP
   • .CFM
   • .CSV
   • .DOC

Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • PLASA; TELKOM; INDO; .CO; .ID; .GO; .ID; .MIL; .ID; .SCH.ID; .NET.ID;
      .OR.ID; .AC.ID; .WEB.ID; .WAR.NET.ID; ASTAGA; GAUL; BOLEH; EMAILKU;
      SATU

Prepend MX strings:
In order to get the IP address of the mail server it has the ability to prepend the following strings to the domain name:
   • smtp.
   • mail.
   • ns1.

P2P In order to infect other systems in the Peer to Peer network community the following action is performed:

– It searches for all shared directories.

   If successful, the following file is created:
   • %all shared folders%.exe

   These files are copies of the malware itself.

DoS Right after it becomes active, it starts DoS attacks against the following destinations:
• israel.gov.il
• playboy.com

File details Programming language:
The malware program was written in Visual Basic.

Description inserted by Irina Boldea on Thursday, May 25, 2006
Description updated by Irina Boldea on Thursday, May 25, 2006

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools