Virus:Worm/Brontok.W.A
Date discovered:21/08/2006
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:98.304 Bytes
MD5 checksum:892f49387317b9cf8a70dad3595db4e3
VDF version:6.36.00.51
IVDF version:6.36.00.62 - Tuesday, September 26, 2006

 General Method of propagation:
   • Local network


Aliases:
   •  Symantec: Hacktool.Spammer
   •  Kaspersky: Email-Worm.Win32.Brontok.w
   •  F-Secure: Email-Worm.Win32.Brontok.w
   •  Sophos: W32/Brontok-BO
   •  Grisoft: SpamTool.GW
   •  Bitdefender: Win32.Brontok.AM@mm

It was previously detected as:
   •  SPR/Spam.VB.aqn


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %WINDIR%\Kr0n1C.exe
   • C:\Kr0n1C.exe
   • %SYSDIR%\shell.exe
   • %SYSDIR%\MrHelloween.scr
   • %SYSDIR%\IExplorer.exe
   • %ALLUSERSPROFILE%\Start Menu\Programs\Startup\Empty.pif
   • %HOME%\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
   • %HOME%\Local Settings\Application Data\WINDOWS\CSRSS.EXE
   • %HOME%\Local Settings\Application Data\WINDOWS\SERVICES.EXE
   • %HOME%\Local Settings\Application Data\WINDOWS\LSASS.EXE
   • %HOME%\Local Settings\Application Data\WINDOWS\SMSS.EXE
   • C:\Kr0n1C\New Folder.exe
   • C:\Data %current username%.exe
   • C:\Data LocalService.exe
   • %current directory%\%current directory name%.exe



It creates the following directory:
   • C:\Kr0n1C



The following files are created:

– C:\Puisi.txt This is a non malicious text file with the following content:
   • Kr0n1C
     
     Tertatihku Meratap Perih
     Insan Hidup Terasa Mati
     Dan Bahagiapun Sirna Seiring Waktu
     Hanya Sepi Yang Mengisi Sendi - Sendi Kehidupanku
     
     Ini Semua Karena Dirimu
     Yang Selalu Mengiris Hatiku
     
     Hari Ini Aku Tetap Menanti
     Hadirmu Walau Hanya Mimpi
     
     Dan Kini Telah Kusadari
     Dirimu Hanya Ingin Menyakitiku
     Hadirmu Hanya Akan Binasakanku
     Saat Ini Dan Sampai Alam Yang Abadi
     
     
      Cyber.nu

%WINDIR%\msvbvm60.dll
%SYSDIR%\msvbvm60.dll
– C:\Kr0n1C\Folder.htt
– C:\desktop.ini

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Kr0n1C"="%WINDIR%\Kr0n1C.exe"
   • "Service%current username%"="%HOME%\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
   • "MSMSGS"="%HOME%\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Logon%current username%"="%HOME%\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
   • "System Monitoring"="%HOME%\Local Settings\Application Data\WINDOWS\LSASS.EXE"
   • "LogonLocalService"="%HOME%\Local Settings\Application Data\WINDOWS\CSRSS.EXE"



The following registry keys are changed:

– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]
   Old value:
   • "AlternateShell"="cmd.exe"
   New value:
   • "AlternateShell"="%WINDIR%\Kr0n1C.exe"

– [HKCR\comfile\shell\open\command]
   Old value:
   • @="%1" %*
   New value:
   • @="%SYSDIR%\shell.exe" "%1" %*"

– [HKCR\batfile\shell\open\command]
   Old value:
   • @="%1" %*
   New value:
   • @="%SYSDIR%\shell.exe" "%1" %*"

– [HKCR\piffile\shell\open\command]
   Old value:
   • @="%1" %*
   New value:
   • @="%SYSDIR%\shell.exe" "%1" %*"

– [HKCR\lnkfile\shell\open\command]
   Old value:
   • @="%1" %*
   New value:
   • @="%SYSDIR%\shell.exe" "%1" %*"

– [HKCR\exefile\shell\open\command]
   Old value:
   • @="%1" %*
   New value:
   • @="%SYSDIR%\shell.exe" "%1" %*"

– [HKCR\exefile]
   Old value:
   • @="Application"
   New value:
   • @="File Folder"

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Old value:
   • "Hidden"=%user defined settings%
   • "HideFileExt"=%user defined settings%
   • "ShowSuperHidden"=%user defined settings%
   New value:
   • "Hidden"=dword:00000000
   • "HideFileExt"=dword:00000001
   • "ShowSuperHidden"=dword:00000000

– [HKCU\Control Panel\Desktop]
   Old value:
   • "SCRNSAVE.EXE"=%user defined settings%
   • "ScreenSaverIsSecure"=%user defined settings%
   New value:
   • "SCRNSAVE.EXE"="%SYSDIR%\MRHELL~1.SCR"
   • "ScreenSaverIsSecure"="0"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="Explorer.exe"
   • "Userinit"="%SYSDIR%\userinit.exe"
   New value:
   • "Shell"="Explorer.exe "%SYSDIR%\IExplorer.exe""
   • "Userinit"="%SYSDIR%\userinit.exe,%SYSDIR%\IExplorer.exe"

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   Old value:
   • "NoFolderOptions"=%user defined settings%
   New value:
   • "NoFolderOptions"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug]
   Old value:
   • "Auto"="1"
   • "Debugger"="drwtsn32 -p %ld -e %ld -g"
   New value:
   • "Auto"="1"
   • "Debugger"="%SYSDIR%\Shell.exe"

Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   Old value:
   • "DisableCMD"=%user defined settings%
   • "DisableTaskMgr"=%user defined settings%
   • "DisableRegistryTools"=%user defined settings%
   New value:
   • "DisableCMD"=dword:00000001
   • "DisableTaskMgr"=dword:00000001
   • "DisableRegistryTools"=dword:00000001

– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   Old value:
   • "DisableConfig"=%user defined settings%
   • "DisableSR"=%user defined settings%
   New value:
   • "DisableConfig"=dword:00000001
   • "DisableSR"=dword:00000001

– [HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer]
   New value:
   • "LimitSystemRestoreCheckpointing"=dword:00000001
   • "DisableMSI"=dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
   CabinetState]
   New value:
   • "FullPath"=dword:00000001

 Process termination Processes containing one of the following window titles are terminated:
   • TASK; REG; ASM; DBG; W32; PROC; WALK; REST; AVS; OPTIONS; ANTI; VIRUS;
      RegEdit; Registry Editor; Folder Options; Local Settings


 File details Programming language:
 The malware program was written in Visual Basic.

Description inserted by Adriana Popa on Tuesday, September 19, 2006
Description updated by Adriana Popa on Friday, September 22, 2006

Back . . . .