Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Rontok.F
Date discovered:28/06/2010
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:41.385 Bytes
MD5 checksum:5a1e3b99e00dd5df99cc316ecfff5fb9
IVDF version:7.10.08.212 - Monday, June 28, 2010

 General Aliases:
   •  Mcafee: W32/Rontokbro.gen
   •  Sophos: W32/Brontok-DB
   •  Bitdefender: Worm.Generic.73749
   •  Panda: W32/Brontok.CX.worm
   •  Eset: Win32/Brontok.G


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Blocks access to certain websites
   • Blocks access to security websites
   • Lowers security settings
   • Downloads malicious files
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • %HOME%\Local Settings\Application Data\smss.exe
   • %HOME%\Start Menu\Programs\Startup\Empty.pif
   • %SYSDIR%\%current username%'s Setting.scr
   • %WINDIR%\ShellNew\bronstab.exe
   • %HOME%\Local Settings\Application Data\lsass.exe
   • %HOME%\Local Settings\Application Data\csrss.exe
   • %WINDIR%\eksplorasi.exe
   • %HOME%\Local Settings\Application Data\inetinfo.exe
   • %SYSDIR%\drivers\etc\hosts-Denied By-%current username%.com
   • %HOME%\Local Settings\Application Data\winlogon.exe
   • %HOME%\Templates\WowTumpeh.com
   • %HOME%\Local Settings\Application Data\services.exe



It overwrites the following files.
%SYSDIR%\drivers\etc\hosts
– C:\autoexec.bat



It deletes the initially executed copy of itself.



It deletes the following files:
   • %HOME%\Local Settings\Application Data\BronFoldNetDomList.txt
   • %HOME%\Local Settings\Application Data\BronNetDomList.bat
   • %HOME%\Local Settings\Application Data\BronNPath0.txt



The following files are created:

– %HOME%\Local Settings\Application Data\BronNPath0.txt
– %HOME%\Local Settings\Application Data\Kosong.Bron.Tok.txt
– %HOME%\Local Settings\Application Data\ListHost9.txt
– %HOME%\My Documents\My Pictures\about.Brontok.A.html This is a non malicious text file with the following content:
   • %code that runs malware%

– %HOME%\Local Settings\Application Data\BronFoldNetDomList.txt
– %HOME%\Local Settings\Application Data\Update.9.Bron.Tok.bin
– %HOME%\Local Settings\Application Data\Bron.tok.A9.em.bin
– %HOME%\Local Settings\Application Data\BronNetDomList.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.



It tries to download some files:

– The location is the following:
   • http://www.geocities.com/sembilstabok/**********


– The location is the following:
   • http://www.geocities.com/sembilstabok/**********


– The location is the following:
   • http://www.geocities.com/sembilstabok/**********




It tries to execute the following files:

– Filename:
   • explorer.exe


– Filename:
   • %HOME%\Local Settings\Application Data\csrss.exe


– Filename:
   • taskkill /f /im mcvsescn.exe /t


– Filename:
   • taskkill /f /im poproxy.exe /t


– Filename:
   • taskkill /f /im avgemc.exe /t


– Filename:
   • taskkill /f /im ccapps.exe /t


– Filename:
   • taskkill /f /im tskmgr.exe /t


– Filename:
   • taskkill /f /im syslove.exe /t


– Filename:
   • taskkill /f /im xpshare.exe /t


– Filename:
   • taskkill /f /im riyani_jangkaru.exe /t


– Filename:
   • taskkill /f /im systray.exe /t


– Filename:
   • %HOME%\Local Settings\Application Data\smss.exe


– Filename:
   • %HOME%\Local Settings\Application Data\winlogon.exe


– Filename:
   • at /delete /y


– Filename:
   • at 17:08 /every:M,T,W,Th,F,S,Su "%HOME%\Templates\WowTumpeh.com"


– Filename:
   • %HOME%\Local Settings\Application Data\services.exe


– Filename:
   • %HOME%\Local Settings\Application Data\lsass.exe


– Filename:
   • %HOME%\Local Settings\Application Data\inetinfo.exe


– Filename:
   • cmd /c "%HOME%\Local Settings\Application Data\BronNetDomList.bat"


– Filename:
   • ping kaskus.com -n 250 -l 747

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Tok-Cirrhatus"=""%HOME%\Local Settings\Application Data\smss.exe""

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Bron-Spizaetus"=""%WINDIR%\ShellNew\bronstab.exe""



The following registry keys are added:

– [HKLM\SOFTWARE\Classes\Interface\
   {79FA9AD0-A97C-11D0-8534-00C04FD8D503}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {A02DED10-31CA-11CF-A98A-00AA006BC149}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {27636B00-410F-11CF-B1FF-02608C9E7553}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {124BE5C0-156E-11CF-A986-00AA006BC149}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {28B96BA0-B330-11CF-A9AD-00AA006BC149}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {451A0030-72EC-11CF-B03B-00AA006E0975}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {5D7B33F0-31CA-11CF-A98A-00AA006BC149}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {124BE5C0-156E-11CF-A986-00AA006BC149}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {5D7B33F0-31CA-11CF-A98A-00AA006BC149}]
   • "@"="IADsServiceOperations"

– [HKLM\SOFTWARE\Classes\Interface\
   {A05E03A2-EFFE-11CF-8ABC-00C04FD8D503}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {00E4C220-FD16-11CE-ABC4-02608C9E7553}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {9068270B-0939-11D1-8BE1-00C04FD8D503}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {97AF011A-478E-11D1-A3B4-00C04FB950DC}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {5BB11929-AFD1-11D2-9CB9-0000F87A369E}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {72B945E0-253B-11CF-A988-00AA006BC149}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {46F14FDA-232B-11D1-A808-00C04FD8D5A8}]
   • "@"="IADsObjectOptions"

– [HKLM\SOFTWARE\Classes\Interface\
   {6C6D65DC-AFD1-11D2-9CB9-0000F87A369E}]
   • "@"="IADsWinNTSystemInfo"

– [HKLM\SOFTWARE\Classes\Interface\
   {8452D3AB-0869-11D1-A377-00C04FB950DC}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {A02DED10-31CA-11CF-A98A-00AA006BC149}]
   • "@"="IADsFileServiceOperations"

– [HKLM\SOFTWARE\Classes\Interface\
   {72B945E0-253B-11CF-A988-00AA006BC149}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {451A0030-72EC-11CF-B03B-00AA006E0975}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {3E37E320-17E2-11CF-ABC4-02608C9E7553}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {7ADECF29-4680-11D1-A3B4-00C04FB950DC}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {398B7DA0-4AAB-11CF-AE2C-00AA006EBFB9}]
   • "@"="IADsSession"

– [HKLM\SOFTWARE\Classes\Interface\
   {28B96BA0-B330-11CF-A9AD-00AA006BC149}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {05792C8E-941F-11D0-8529-00C04FD8D503}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {05792C8E-941F-11D0-8529-00C04FD8D503}]
   • "@"="IADsPropertyEntry"

– [HKLM\SOFTWARE\Classes\Interface\
   {27636B00-410F-11CF-B1FF-02608C9E7553}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {8452D3AB-0869-11D1-A377-00C04FB950DC}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {306E831C-5BC7-11D1-A3B8-00C04FB950DC}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {3E37E320-17E2-11CF-ABC4-02608C9E7553}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {7B28B80F-4680-11D1-A3B4-00C04FB950DC}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {7E99C0A2-F935-11D2-BA96-00C04FB6D0D1}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {6C6D65DC-AFD1-11D2-9CB9-0000F87A369E}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {9068270B-0939-11D1-8BE1-00C04FD8D503}]
   • "@"="IADsLargeInteger"

– [HKLM\SOFTWARE\Classes\Interface\
   {451A0030-72EC-11CF-B03B-00AA006E0975}]
   • "@"="IADsMembers"

– [HKLM\SOFTWARE\Classes\Interface\
   {306E831C-5BC7-11D1-A3B8-00C04FB950DC}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKCU\software\microsoft\windows\currentversion\Policies\System]
   • "DisableCMD"=dword:0x00000000
   • "DisableRegistryTools"=dword:0x00000001

– [HKLM\SOFTWARE\Classes\Interface\
   {00E4C220-FD16-11CE-ABC4-02608C9E7553}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {7B66B533-4680-11D1-A3B4-00C04FB950DC}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {9A52DB30-1ECF-11CF-A988-00AA006BC149}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {28B96BA0-B330-11CF-A9AD-00AA006BC149}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {7ADECF29-4680-11D1-A3B4-00C04FB950DC}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {A02DED10-31CA-11CF-A98A-00AA006BC149}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {A05E03A2-EFFE-11CF-8ABC-00C04FD8D503}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {370DF02E-F934-11D2-BA96-00C04FB6D0D1}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {370DF02E-F934-11D2-BA96-00C04FB6D0D1}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {72B945E0-253B-11CF-A988-00AA006BC149}]
   • "@"="IADsCollection"

– [HKLM\SOFTWARE\Classes\Interface\
   {32FB6780-1ED0-11CF-A988-00AA006BC149}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {8452D3AB-0869-11D1-A377-00C04FB950DC}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {3E37E320-17E2-11CF-ABC4-02608C9E7553}]
   • "@"="IADsUser"

– [HKLM\SOFTWARE\Classes\Interface\
   {7B66B533-4680-11D1-A3B4-00C04FB950DC}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {46F14FDA-232B-11D1-A808-00C04FD8D5A8}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {A05E03A2-EFFE-11CF-8ABC-00C04FD8D503}]
   • "@"="IADsLocality"

– [HKLM\SOFTWARE\Classes\Interface\
   {34A05B20-4AAB-11CF-AE2C-00AA006EBFB9}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {A05E03A2-EFFE-11CF-8ABC-00C04FD8D503}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {7E99C0A2-F935-11D2-BA96-00C04FB6D0D1}]
   • "@"="IADsDNWithBinary"

– [HKLM\SOFTWARE\Classes\Interface\
   {79FA9AD0-A97C-11D0-8534-00C04FD8D503}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {46F14FDA-232B-11D1-A808-00C04FD8D5A8}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {7ADECF29-4680-11D1-A3B4-00C04FB950DC}]
   • "@"="IADsPostalAddress"

– [HKLM\SOFTWARE\Classes\Interface\
   {451A0030-72EC-11CF-B03B-00AA006E0975}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {9A52DB30-1ECF-11CF-A988-00AA006BC149}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {34A05B20-4AAB-11CF-AE2C-00AA006EBFB9}]
   • "@"="IADsResource"

– [HKLM\SOFTWARE\Classes\Interface\
   {306E831C-5BC7-11D1-A3B8-00C04FB950DC}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {00E4C220-FD16-11CE-ABC4-02608C9E7553}]
   • "@"="IADsDomain"

– [HKLM\SOFTWARE\Classes\Interface\
   {28B96BA0-B330-11CF-A9AD-00AA006BC149}]
   • "@"="IADsNamespaces"

– [HKLM\SOFTWARE\Classes\Interface\
   {79FA9AD0-A97C-11D0-8534-00C04FD8D503}]
   • "@"="IADsPropertyValue"

– [HKLM\SOFTWARE\Classes\Interface\
   {7ADECF29-4680-11D1-A3B4-00C04FB950DC}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {27636B00-410F-11CF-B1FF-02608C9E7553}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {34A05B20-4AAB-11CF-AE2C-00AA006EBFB9}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {3E37E320-17E2-11CF-ABC4-02608C9E7553}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {398B7DA0-4AAB-11CF-AE2C-00AA006EBFB9}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {124BE5C0-156E-11CF-A986-00AA006BC149}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {7E99C0A2-F935-11D2-BA96-00C04FB6D0D1}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {7E99C0A2-F935-11D2-BA96-00C04FB6D0D1}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {001677D0-FD16-11CE-ABC4-02608C9E7553}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {5BB11929-AFD1-11D2-9CB9-0000F87A369E}]
   • "@"="IADsADSystemInfo"

– [HKLM\SOFTWARE\Classes\Interface\
   {32FB6780-1ED0-11CF-A988-00AA006BC149}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {9A52DB30-1ECF-11CF-A988-00AA006BC149}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {001677D0-FD16-11CE-ABC4-02608C9E7553}]
   • "@"="IADsContainer"

– [HKLM\SOFTWARE\Classes\Interface\
   {9A52DB30-1ECF-11CF-A988-00AA006BC149}]
   • "@"="IADsPrintJobOperations"

– [HKLM\SOFTWARE\Classes\Interface\
   {7B66B533-4680-11D1-A3B4-00C04FB950DC}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {124BE5C0-156E-11CF-A986-00AA006BC149}]
   • "@"="IADsPrintQueueOperations"

– [HKLM\SOFTWARE\Classes\Interface\
   {46F14FDA-232B-11D1-A808-00C04FD8D5A8}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {68AF66E0-31CA-11CF-A98A-00AA006BC149}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {97AF011A-478E-11D1-A3B4-00C04FB950DC}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {32FB6780-1ED0-11CF-A988-00AA006BC149}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   • "NoFolderOptions"=dword:0x00000001

– [HKLM\SOFTWARE\Classes\Interface\
   {370DF02E-F934-11D2-BA96-00C04FB6D0D1}]
   • "@"="IADsDNWithString"

– [HKLM\SOFTWARE\Classes\Interface\
   {68AF66E0-31CA-11CF-A98A-00AA006BC149}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {72B945E0-253B-11CF-A988-00AA006BC149}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {27636B00-410F-11CF-B1FF-02608C9E7553}]
   • "@"="IADsGroup"

– [HKLM\SOFTWARE\Classes\Interface\
   {001677D0-FD16-11CE-ABC4-02608C9E7553}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {8452D3AB-0869-11D1-A377-00C04FB950DC}]
   • "@"="IADsAcl"

– [HKLM\SOFTWARE\Classes\Interface\
   {05792C8E-941F-11D0-8529-00C04FD8D503}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {5BB11929-AFD1-11D2-9CB9-0000F87A369E}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {5D7B33F0-31CA-11CF-A98A-00AA006BC149}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {79FA9AD0-A97C-11D0-8534-00C04FD8D503}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {7B28B80F-4680-11D1-A3B4-00C04FB950DC}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {7B28B80F-4680-11D1-A3B4-00C04FB950DC}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {7B28B80F-4680-11D1-A3B4-00C04FB950DC}]
   • "@"="IADsOctetList"

– [HKLM\SOFTWARE\Classes\Interface\
   {9068270B-0939-11D1-8BE1-00C04FD8D503}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {5D7B33F0-31CA-11CF-A98A-00AA006BC149}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {370DF02E-F934-11D2-BA96-00C04FB6D0D1}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {6C6D65DC-AFD1-11D2-9CB9-0000F87A369E}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {6C6D65DC-AFD1-11D2-9CB9-0000F87A369E}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {05792C8E-941F-11D0-8529-00C04FD8D503}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {32FB6780-1ED0-11CF-A988-00AA006BC149}]
   • "@"="IADsPrintJob"

– [HKLM\SOFTWARE\Classes\Interface\
   {68AF66E0-31CA-11CF-A98A-00AA006BC149}]
   • "@"="IADsService"

– [HKLM\SOFTWARE\Classes\Interface\
   {306E831C-5BC7-11D1-A3B8-00C04FB950DC}]
   • "@"="IADsPropertyValue2"

– [HKLM\SOFTWARE\Classes\Interface\
   {7B66B533-4680-11D1-A3B4-00C04FB950DC}]
   • "@"="IADsCaseIgnoreList"

– [HKLM\SOFTWARE\Classes\Interface\
   {68AF66E0-31CA-11CF-A98A-00AA006BC149}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {398B7DA0-4AAB-11CF-AE2C-00AA006EBFB9}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {001677D0-FD16-11CE-ABC4-02608C9E7553}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {97AF011A-478E-11D1-A3B4-00C04FB950DC}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {9068270B-0939-11D1-8BE1-00C04FD8D503}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {97AF011A-478E-11D1-A3B4-00C04FB950DC}]
   • "@"="IADsEmail"

– [HKLM\SOFTWARE\Classes\Interface\
   {00E4C220-FD16-11CE-ABC4-02608C9E7553}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {A02DED10-31CA-11CF-A98A-00AA006BC149}\TypeLib]
   • "@"="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Classes\Interface\
   {5BB11929-AFD1-11D2-9CB9-0000F87A369E}\ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {398B7DA0-4AAB-11CF-AE2C-00AA006EBFB9}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

– [HKLM\SOFTWARE\Classes\Interface\
   {34A05B20-4AAB-11CF-AE2C-00AA006EBFB9}\ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   New value:
   • "Shell"="Explorer.exe "%WINDIR%\eksplorasi.exe""

– [HKCU\Software\Microsoft\Internet Explorer\Toolbar\Explorer]
   New value:
   • "ITBarLayout"=hex:11,00,00,00,4C,00,00,00,00,00,00,00,34,00,00,00,1B,00,00,00,4E,00,00,00,01,00,00,00,20,07,00,00,A0,0F,00,00,05,00,00,00,62,05,00,00,26,00,00,00,02,00,00,00,21,07,00,00,A0,0F,00,00,04,00,00,00,21,01,00,00,A0,0F,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   New value:
   • "Hidden"=dword:0x00000000
   • "HideFileExt"=dword:0x00000001
   • "ShowSuperHidden"=dword:0x00000000

– [HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
   New value:
   • "{01E04581-4EEE-11D0-BFE9-00AA005B4383}"=hex:81,45,E0,01,EE,4E,D0,11,BF,E9,00,AA,00,5B,43,83,10,00,00,00,00,00,00,00,01,E0,32,F4,01,00,00,00

– [HKCU\Software\Microsoft\Internet Explorer\Toolbar]
   New value:
   • "Locked"=dword:0x00000001

 Hosts The host file is modified as explained:

– In this case existing entries are deleted.

 File details Programming language:
The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Monday, December 6, 2010
Description updated by Petre Galan on Monday, December 6, 2010

Back . . . .