Full description

Virus:	Worm/Brontok.N.1
Date discovered:	25/03/2006
Type:	Worm
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Medium
Damage Potential:	Medium
Static file:	Yes
File size:	43.520 Bytes
MD5 checksum:	077fc28e71343d70bf08958b641be113
VDF version:	6.34.00.97 - Saturday, March 25, 2006
IVDF version:	6.34.00.97 - Saturday, March 25, 2006

General Method of propagation:
   • Email

Aliases:
   • Symantec: W32.Rontokbro.U@mm
   • Kaspersky: Email-Worm.Win32.Brontok.n
   • TrendMicro: WORM_RONTOKBR.AT
   • Sophos: W32/Brontok-AE
   • Bitdefender: Win32.Brontok.AF@mm

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Blocks access to certain websites
   • Blocks access to security websites
   • Disable security applications
   • Downloads files
   • Uses its own Email engine
   • Lowers security settings
   • Registry modification

Right after execution the following information is displayed:

Files It copies itself to the following locations:
   • %HOME%\Local Settings\Application Data\dv%several random digits%x\yesbron.com
   • %SYSDIR%\c_%several random digits%k.com
   • %SYSDIR%\n%several random digits%\csrss.exe
   • %SYSDIR%\n%several random digits%\smss.exe
   • %SYSDIR%\n%several random digits%\winlogon.exe
   • %SYSDIR%\n%several random digits%\services.exe
   • %SYSDIR%\n%several random digits%\sv%several random digits%.exe
   • %SYSDIR%\n%several random digits%\b%several random digits%.exe
   • %SYSDIR%\n%several random digits%\ib%several random digits%.exe
   • %WINDIR%\j%several random digits%.exe
   • %WINDIR%\o%several random digits%.exe
   • %WINDIR%\_default%several random digits%.pif
   • %HOME%\Local Settings\Application Data\jalak-%several random digits%-bali.com

It creates the following directories:
   • %SYSDIR%\n%several random digits%
   • %SYSDIR%\n%several random digits%\Spread.Mail.Bro
   • %SYSDIR%\n%several random digits%\Spread.Sent.Bro
   • %HOME%\Local Settings\Application Data\dv%several random digits%x

The following files are created:

– Files that contain collected email addresses:
   • %SYSDIR%\n%several random digits%\Spread.Mail.Bro\%collected email addresses%.ini
   • %SYSDIR%\n%several random digits%\Spread.Sent.Bro\%collected email addresses%.ini

– Temporary files that might be deleted afterwards:
   • %SYSDIR%\n%several random digits%\domlist.txt
   • %SYSDIR%\n%several random digits%\getdomlist.txt

– %system drive root%\Baca Bro !!!.txt This is a non malicious text file with the following content:
   • BRONTOK.C[22]
     Sedikit Jawaban u/ Membungkam Mulut Sesumbar 'MEREKA'.
     Nobron = Satria Dungu = Nothing !!!
     Romdil = Tukang Jiplak = Nothing !!!
     Nobron & Romdil -->> Kicked by The Amazing Brontok
     [ By JowoBot ]

– %SYSDIR%\n%several random digits%\c.bron.tok.txt This is a non malicious text file with the following content:
   • Brontok.C
     By:JowoBot

– %WINDIR%\tasks\at1.job File is a scheduled task that runs the malware at predefined times.
– %WINDIR%\tasks\at2.job File is a scheduled task that runs the malware at predefined times.

It tries to download some files:

– The location is the following:
   • http://www.net4free.org/Arts/bddwyrk/**********
It is saved on the local hard drive under: %SYSDIR%\n%several random digits%\sv%several random digits%r.exeupi22xbm.ini

– The location is the following:
   • http://debuging.com/WS1/cgi/**********
It is saved on the local hard drive under: %SYSDIR%\n%several random digits%\svt%number%sj.tok

Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "A%several random digits%r"="%WINDIR%\j%several random digits%.exe"

The values of the following registry keys are removed:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • Adie Suka Kamu
   • Adie Strio X
   • SysYuni
   • SysDiaz
   • Sys_Romantic-Devil.R
   • SysRia
   • Pluto
   • DllHost
   • iExplorer
   • lExplorer
   • dkernel.exe
   • dkernel
   • Security
   • local service
   • SymRun
   • OSA
   • ccapp
   • CCAPPS
   • LoadServices
   • LoadService
   • MsPatch
   • Bron-Spizaetus-
   • Bron-Spizaetus-4713XPPM

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • Tok-Cirrhatus
   • Tok-Cirrhatus-%several random digits%adrc
   • Tok-Cirrhatus-%several random digits%

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   • NoFolderOptions

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
   run]
   • Tok-Cirrhatus-%several random digits%adrc
   • brl

The following registry keys are added:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
   run]
   • "y%several random digits%adr"="%user settings%\Application Data\dv%several random digits%x\yesbron.com"

– [HKCU\Software\Brontok]
   • "Version"="Brontok.C[22]"
   • "Developer"="JowoBot
   • VM Community"
   • "Released"="09-03-06"
   • "Message"=Look @ "C:\Baca Bro !!!.txt"
   • "Dedicated 2"="Spizaetus Cirrhatus"

The following registry keys are changed:

Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   Old value:
   • "DisableRegistryTools"=%user defined settings%
   New value:
   • "DisableRegistryTools"=dword:00000001

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Old value:
   • "Hidden"=%user defined settings%
   • "HideFileExt"=%user defined settings%
   • "ShowSuperHidden"=%user defined settings%
   New value:
   • "Hidden"=dword:00000000
   • "HideFileExt"=dword:00000001
   • "ShowSuperHidden"=dword:00000000

– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]
   Old value:
   • "AlternateShell"="cmd.exe"
   New value:
   • "AlternateShell"="c_%several random digits%k.com"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="Explorer.exe"
     "Userinit"="%SYSDIR%\userinit.exe"
   New value:
   • "Shell"=Explorer.exe "%WINDIR%\o%several random digits%.exe"
     "Userinit"="%SYSDIR%\userinit.exe,%WINDIR%\j%several random digits%.exe"

Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

From:
The sender of the email is one of the following:
   • jennifer_sh@%receiver's domain name from email address%
   • angelina_ph@%receiver's domain name from email address%

To:
– Email addresses found in specific files on the system.
– Generated addresses

Subject:
One of the following:
   • My Best Photo
   • Fotoku yg Paling Cantik

Body:
The body of the email is one of the following:

   • I want to share my photo with you.
     Wishing you all the best.
     Regards,

   • Aku lg iseng aja pengen kirim foto ke kamu.
     Jangan lupain aku ya !.
     Thanks,

Attachment:
The contents of the file is not a copy of itself but another malware. A description can be found here: TR/Dldr.Small.coc.1

The filename of the attachment is:
   • Picture.zip

The email looks like the following:

Mailing Search addresses:
It searches the following files for email addresses:
   • PPT; XLS; CFM; PHP; ASP; WAB; EML; CSV; HTML; HTM; DOC; TXT

Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • BILLING@; INFO@; CONTOH; EXAMPLE; SMTP; XXX; TEST; NETWORK; SOURCE;
      PROGRAM; WWW; ASDF; SOME; YOUR; BLAH; SPAM; SOFT; PANDA; NORMAN;
      NORTON; ASSOCIATE; SYMANTEC; SECURITY; CILLIN; GRISOFT; AVG; LINUX;
      CRACK; HACK; VIRUS; MICROSOFT; MASTER; SUPPORT; SECURE; UPDATE;
      DEVELOP; VAKSIN; SATU; EMAILKU; BOLEH; GAUL; ASTAGA; .WEB.ID; .AC.ID;
      .OR.ID; .NET.ID; .SCH.ID; .MIL.ID; .GO.ID; .CO.ID; INDO; TELKOM; PLASA


MX Server:
It has the ability to contact one of the following MX servers:
   • ns1.
   • mail.
   • smtp.

Hosts The host file is modified as explained:

– In this case existing entries are deleted.

– Access to the following domains is effectively blocked:
   • mcafee.com; www.mcafee.com; mcafee.net; www.mcafee.net; mcafee.org;
      www.mcafee.org; mcafeesecurity.com; www.mcafeesecurity.com;
      mcafeesecurity.net; www.mcafeesecurity.net; mcafeesecurity.org;
      www.mcafeesecurity.org; mcafeeb2b.com; www.mcafeeb2b.com;
      mcafeeb2b.net; www.mcafeeb2b.net; mcafeeb2b.org; www.mcafeeb2b.org;
      nai.com; www.nai.com; nai.net; www.nai.net; nai.org; www.nai.org;
      vil.nai.com; www.vil.nai.com; vil.nai.net; www.vil.nai.net;
      vil.nai.org; www.vil.nai.org; grisoft.com; www.grisoft.com;
      grisoft.net; www.grisoft.net; grisoft.org; www.grisoft.org;
      kaspersky-labs.com; www.kaspersky-labs.com; kaspersky-labs.net;
      www.kaspersky-labs.net; kaspersky-labs.org; www.kaspersky-labs.org;
      kaspersky.com; www.kaspersky.com; kaspersky.net; www.kaspersky.net;
      kaspersky.org; www.kaspersky.org; downloads1.kaspersky-labs.com;
      www.downloads1.kaspersky-labs.com; downloads1.kaspersky-labs.net;
      www.downloads1.kaspersky-labs.net; downloads1.kaspersky-labs.org;
      www.downloads1.kaspersky-labs.org; downloads2.kaspersky-labs.com;
      www.downloads2.kaspersky-labs.com; downloads2.kaspersky-labs.net;
      www.downloads2.kaspersky-labs.net; downloads2.kaspersky-labs.org;
      www.downloads2.kaspersky-labs.org; downloads3.kaspersky-labs.com;
      www.downloads3.kaspersky-labs.com; downloads3.kaspersky-labs.net;
      www.downloads3.kaspersky-labs.net; downloads3.kaspersky-labs.org;
      www.downloads3.kaspersky-labs.org; downloads4.kaspersky-labs.com;
      www.downloads4.kaspersky-labs.com; downloads4.kaspersky-labs.net;
      www.downloads4.kaspersky-labs.net; downloads4.kaspersky-labs.org;
      www.downloads4.kaspersky-labs.org; download.mcafee.com;
      www.download.mcafee.com; download.mcafee.net; www.download.mcafee.net;
      download.mcafee.org; www.download.mcafee.org; norton.com;
      www.norton.com; norton.net; www.norton.net; norton.org;
      www.norton.org; symantec.com; www.symantec.com; symantec.net;
      www.symantec.net; symantec.org; www.symantec.org;
      liveupdate.symantecliveupdate.com;
      www.liveupdate.symantecliveupdate.com;
      liveupdate.symantecliveupdate.net;
      www.liveupdate.symantecliveupdate.net;
      liveupdate.symantecliveupdate.org;
      www.liveupdate.symantecliveupdate.org; liveupdate.symantec.com;
      www.liveupdate.symantec.com; liveupdate.symantec.net;
      www.liveupdate.symantec.net; liveupdate.symantec.org;
      www.liveupdate.symantec.org; update.symantec.com;
      www.update.symantec.com; update.symantec.net; www.update.symantec.net;
      update.symantec.org; www.update.symantec.org;
      securityresponse.symantec.com; www.securityresponse.symantec.com;
      securityresponse.symantec.net; www.securityresponse.symantec.net;
      securityresponse.symantec.org; www.securityresponse.symantec.org;
      sarc.com; www.sarc.com; sarc.net; www.sarc.net; sarc.org;
      www.sarc.org; vaksin.com; www.vaksin.com; vaksin.net; www.vaksin.net;
      vaksin.org; www.vaksin.org; forum.vaksin.com; www.forum.vaksin.com;
      forum.vaksin.net; www.forum.vaksin.net; forum.vaksin.org;
      www.forum.vaksin.org; norman.com; www.norman.com; norman.net;
      www.norman.net; norman.org; www.norman.org; trendmicro.com;
      www.trendmicro.com; trendmicro.net; www.trendmicro.net;
      trendmicro.org; www.trendmicro.org; trendmicro-europe.com;
      www.trendmicro-europe.com; trendmicro-europe.net;
      www.trendmicro-europe.net; trendmicro-europe.org;
      www.trendmicro-europe.org; ae.trendmicro-europe.com;
      www.ae.trendmicro-europe.com; ae.trendmicro-europe.net;
      www.ae.trendmicro-europe.net; ae.trendmicro-europe.org;
      www.ae.trendmicro-europe.org; it.trendmicro-europe.com;
      www.it.trendmicro-europe.com; it.trendmicro-europe.net;
      www.it.trendmicro-europe.net; it.trendmicro-europe.org;
      www.it.trendmicro-europe.org; secunia.com; www.secunia.com;
      secunia.net; www.secunia.net; secunia.org; www.secunia.org;
      winantivirus.com; www.winantivirus.com; winantivirus.net;
      www.winantivirus.net; winantivirus.org; www.winantivirus.org;
      pandasoftware.com; www.pandasoftware.com; pandasoftware.net;
      www.pandasoftware.net; pandasoftware.org; www.pandasoftware.org;
      esafe.com; www.esafe.com; esafe.net; www.esafe.net; esafe.org;
      www.esafe.org; f-secure.com; www.f-secure.com; f-secure.net;
      www.f-secure.net; f-secure.org; www.f-secure.org; europe.f-secure.com;
      www.europe.f-secure.com; europe.f-secure.net; www.europe.f-secure.net;
      europe.f-secure.org; www.europe.f-secure.org; bhs.com; www.bhs.com;
      bhs.net; www.bhs.net; bhs.org; www.bhs.org; datafellows.com;
      www.datafellows.com; datafellows.net; www.datafellows.net;
      datafellows.org; www.datafellows.org; cheyenne.com; www.cheyenne.com;
      cheyenne.net; www.cheyenne.net; cheyenne.org; www.cheyenne.org;
      ontrack.com; www.ontrack.com; ontrack.net; www.ontrack.net;
      ontrack.org; www.ontrack.org; sands.com; www.sands.com; sands.net;
      www.sands.net; sands.org; www.sands.org; sophos.com; www.sophos.com;
      sophos.net; www.sophos.net; sophos.org; www.sophos.org; icubed.com;
      www.icubed.com; icubed.net; www.icubed.net; icubed.org;
      www.icubed.org; perantivirus.com; www.perantivirus.com;
      perantivirus.net; www.perantivirus.net; perantivirus.org;
      www.perantivirus.org; castlecops.com; www.castlecops.com;
      castlecops.net; www.castlecops.net; castlecops.org;
      www.castlecops.org; virustotal.com; www.virustotal.com;
      virustotal.net; www.virustotal.net; virustotal.org;
      www.virustotal.org; free-av.com; www.free-av.com; free-av.net;
      www.free-av.net; free-av.org; www.free-av.org; antivirus.com;
      www.antivirus.com; antivirus.net; www.antivirus.net; antivirus.org;
      www.antivirus.org; anti-virus.com; www.anti-virus.com; anti-virus.net;
      www.anti-virus.net; anti-virus.org; www.anti-virus.org; ca.com;
      www.ca.com; ca.net; www.ca.net; ca.org; www.ca.org; fajarweb.com;
      www.fajarweb.com; fajarweb.net; www.fajarweb.net; fajarweb.org;
      www.fajarweb.org; jasakom.com; www.jasakom.com; jasakom.net;
      www.jasakom.net; jasakom.org; www.jasakom.org; backup.grisoft.com;
      www.backup.grisoft.com; backup.grisoft.net; www.backup.grisoft.net;
      backup.grisoft.org; www.backup.grisoft.org; infokomputer.com;
      www.infokomputer.com; infokomputer.net; www.infokomputer.net;
      infokomputer.org; www.infokomputer.org; playboy.com; www.playboy.com;
      playboy.net; www.playboy.net; playboy.org; www.playboy.org;
      sex-mission.com; www.sex-mission.com; sex-mission.net;
      www.sex-mission.net; sex-mission.org; www.sex-mission.org;
      pornstargals.com; www.pornstargals.com; pornstargals.net;
      www.pornstargals.net; pornstargals.org; www.pornstargals.org;
      kaskus.com; www.kaskus.com; kaskus.net; www.kaskus.net; kaskus.org;
      www.kaskus.org; 17tahun.com; www.17tahun.com; 17tahun.net;
      www.17tahun.net; 17tahun.org; www.17tahun.org; padinet.com;
      www.padinet.com; padinet.net; www.padinet.net; padinet.org;
      www.padinet.org; jeruk.padinet.com; www.jeruk.padinet.com;
      jeruk.padinet.net; www.jeruk.padinet.net; jeruk.padinet.org;
      www.jeruk.padinet.org; compactbyte.com; www.compactbyte.com;
      compactbyte.net; www.compactbyte.net; compactbyte.org;
      www.compactbyte.org; blog.compactbyte.com; www.blog.compactbyte.com;
      blog.compactbyte.net; www.blog.compactbyte.net; blog.compactbyte.org;
      www.blog.compactbyte.org; blogs.compactbyte.com;
      www.blogs.compactbyte.com; blogs.compactbyte.net;
      www.blogs.compactbyte.net; blogs.compactbyte.org;
      www.blogs.compactbyte.org

The modified host file will look like this:

Process termination Processes with one of the following strings are terminated:
   • ahnlab; peid; nod32; hijack; sysinter; aladdin; panda; trend; cillin;
      mcaf; avast; bitdef; machine; movzx; kill; washer; remove; wscript;
      diary; untukmu; kangen; sstray; Alicia; Mariana; Dian; foto; zlh;
      Anti; mspatch; siti; virus; services.com; ctfmon; nopdb; opscan;
      vptray; update; lexplorer; iexplorer; nipsvc; njeeves; cclaw; nvcoas;
      aswupdsv; ashmaisv; systray; riyani; xpshare; syslove; tskmgr; ccapps;
      ash; avg; poproxy; mcv

Processes containing one of the following window titles are terminated:
   • peid; task view; telanjang; bugil; cewe; naked; porn; sex; alwil;
      wintask; folder option; b.e; worm; trojan; avira; windows script;
      commander; pc-media; killer; ertanto; anti; CLEANER; REMOVER; PROCESS
      EXP; SYSINTERNAL; killbox; scheduled task; computer management;
      cmd.exe; group policy; system configuration; command prompt; registry;
      baca bro !!!; task manager; google.com; up22ngk

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Adriana Popa on Tuesday, July 25, 2006
Description updated by Andrei Gherman on Wednesday, July 26, 2006

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools