Virus:Worm/Brontok.C
Date discovered:27/10/2005
Type:Worm
In the wild:Yes
Reported Infections:Medium
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:No
VDF version:6.32.00.109

 General Methods of propagation:
   • Email
   • Local network


Aliases:
   •  Symantec: W32.Rontokbro.K@mm
   •  TrendMicro: WORM_RONTOKBRO.J
   •  Bitdefender: Win32.Brontok.C@mm


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Blocks access to security websites
   • Downloads files
   • Uses its own Email engine
   • Registry modification


Right after execution it runs a windows application which will display the following window:


 Files It copies itself to the following locations:
   • %WINDIR%\ShellNew\sempalong.exe
   • %WINDIR%\eksplorasi.exe
   • %HOME%\Local Settings\Application Data\smss.exe
   • %HOME%\Local Settings\Application Data\services.exe
   • %HOME%\Local Settings\Application Data\lsass.exe
   • %HOME%\Local Settings\Application Data\inetinfo.exe
   • %HOME%\Local Settings\Application Data\csrss.exe
   • %HOME%\Start Menu\Programs\Startup\Empty.pif
   • %HOME%\Templates\brengkolang.exe
   • %SYSDIR%\%current username%'s setting.scr



It overwrites a file.
%system drive root%\autoexec.bat

With the following contents:
   • pause




The following file is created:

– %HOME%\Local Settings\Application Data\Kosong.Bron.Tok.txt This is a non malicious text file with the following content:
   • Brontok.A
     By: HVM31
     -- JowoBot
     VM Community --

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\software\microsoft\windows\currentversion\run]
   • "Bron-Spizaetus" = ""c:\winows\ShellNew\sempalong.exe""

– [HKCU\software\microsoft\windows\currentversion\run]
   • "Tok-Cirrhatus" = "c:\Documents and Settings\UserLocal Settings\Application Data\smss.exe"



The following registry keys are added:

– [HKCU\software\microsoft\windows\currentversion\Policies\System]
   • "DisableCMD" = dword:00000000
   • "DisableRegistryTools" = dword:00000001

– [HKCU\software\microsoft\windows\currentversion\Policies\Explorer]
   • "NoFolderOptions" = dword:00000001



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell" = "Explorer.exe"
   New value:
   • "Shell" = "Explorer.exe "c:\winows\eksplorasi.exe""

– [HKCU\software\microsoft\windows\currentversion\explorer\advanced]
   Old value:
   • "ShowSuperHidden" = %user defined settings%
   • "HideFileExt" = %user defined settings%
   • "Hidden" = %user defined settings%
   New value:
   • "ShowSuperHidden" = dword:00000000
   • "HideFileExt" = dword:00000001
   • "Hidden" = dword:00000000

 Mailing Search addresses:
It searches the following files for email addresses:
   • .HTML; .TXT; .EML; .WAB; .ASP; .PHP; .CFM; .CSV; .DOC; .XLS; .PDF;
      .PPT; .HTT


Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • .VBS; DOMAIN; HIDDEN; DEMO; DEVELOP; FOO@; KOMPUTER; SENIOR; DARK;
      BLACK; BLEEP; FEEDBACK; IBM.; INTEL.; MACRO; ADOBE; FUCK; RECIPIENT;
      SERVER; PROXY; ZEND; ZDNET; CNET; DOWNLOAD; HP.; XEROX; CANON;
      SERVICE; ARCHIEVE; NETSCAPE; MOZILLA; OPERA; NOVELL; NEWS; UPDATE;
      RESPONSE; OVERTURE; GROUP; GATEWAY; RELAY; ALERT; SEKUR; CISCO; LOTUS;
      MICRO; TREND; SIEMENS; FUJITSU; NOKIA; W3.; NVIDIA; APACHE; MYSQL;
      POSTGRE; SUN.; GOOGLE; SPERSKY; ZOMBIE; ADMIN; AVIRA; AVAST; TRUST;
      ESAVE; ESAFE; PROTECT; ALADDIN; ALERT; BUILDER; DATABASE; AHNLAB;
      PROLAND; ESCAN; HAURI; NOD32; SYBARI; ANTIGEN; ROBOT; ALWIL; YAHOO;
      COMPUSE; COMPUTE; SECUN; SPYW; REGIST; FREE; BUG; MATH; LAB; IEEE;
      KDE; TRACK; INFORMA; FUJI; @MAC; SLACK; REDHA; SUSE; BUNTU; XANDROS;
      @ABC; @123; LOOKSMART; SYNDICAT; ELEKTRO; ELECTRO; NASA; LUCENT;
      TELECOM; STUDIO; SIERRA; USERNAME; IPTEK; CLICK; SALES; PROMO

 Hosts The host file is modified as explained:

– In this case existing entries are deleted.

– Access to the following domains is effectively blocked:
   • mcafee.com; www.mcafee.com; mcafeesecurity.com;
      www.mcafeesecurity.com; mcafeeb2b.com; www.mcafeeb2b.com; nai.com;
      www.nai.com; vil.nai.com; grisoft.com; www.grisoft.com;
      kaspersky-labs.com; www.kaspersky-labs.com; kaspersky.com;
      www.kaspersky.com; downloads1.kaspersky-labs.com;
      downloads2.kaspersky-labs.com; downloads3.kaspersky-labs.com;
      downloads4.kaspersky-labs.com; download.mcafee.com; grisoft.cz;
      www.grisoft.cz; norton.com; www.norton.com; symantec.com;
      www.symantec.com; liveupdate.symantecliveupdate.com;
      liveupdate.symantec.com; update.symantec.com;
      securityresponse.symantec.com; sarc.com; www.sarc.com; vaksin.com;
      www.vaksin.com; norman.com; www.norman.com; trendmicro.com;
      www.trendmicro.com; trendmicro.co.jp; www.trendmicro.co.jp;
      trendmicro-europe.com; www.trendmicro-europe.com;
      ae.trendmicro-europe.com; it.trendmicro-europe.com; secunia.com;
      www.secunia.com; winantivirus.com; www.winantivirus.com;
      pandasoftware.com; www.pandasoftware.com; esafe.com; www.esafe.com;
      f-secure.com; www.f-secure.com; europe.f-secure.com; bhs.com;
      www.bhs.com; datafellows.com; www.datafellows.com; cheyenne.com;
      www.cheyenne.com; ontrack.com; www.ontrack.com; sands.com;
      www.sands.com; sophos.com; www.sophos.com; icubed.com; www.icubed.com;
      perantivirus.com; www.perantivirus.com; virusalert.nl;
      www.virusalert.nl; pagina.nl; www.pagina.nl; antivirus.pagina.nl;
      castlecops.com; www.castlecops.com; virustotal.com; www.virustotal.com




The modified host file will look like this:


 DoS Right after it becomes active, it starts DoS attacks against the following destinations:
   • http://kaskus.com
   • http://17tahun.com

 Miscellaneous Anti debugging
It checks for running programs that contain one of the following strings:
   • REGISTRY
   • SYSTEM CONFIGURATION
   • COMMAND PROMPT
   • .EXE
   • SHUT DOWN
   • SCRIPT HOST
   • LOG OFF WINDOWS
   • KILLBOX
   • TASKKILL
   • TASK KILL
   • HIJACK
   • BLEEPING


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Gherman on Friday, October 28, 2005
Description updated by Andrei Gherman on Friday, June 20, 2008

Back . . . .