Avira Virus Lab

Worm/Brontok.E.1

  • Name
    Worm/Brontok.E.1
  • Date discovered
    Oct 8, 2015
  • Type
    Malware
  • Impact
    High 
  • Reported Infections
    Low 
  • Operating System
    Windows
  • VDF version
    7.11.47.198 (2012-10-26 15:42)

Stay safe from all these threats with Avira Free Antivirus.

Avira Free Antivirus Download Free

The term 'WORM' denotes a worm that is able to spread itself, for instance, over the Internet (using email, peer-to-peer networks, or IRC networks, etc.).

  • VDF
    7.11.47.198 (2012-10-26 15:42)
  • Aliases
    Avast: Win32:Brontok-CE
    AVG: I-Worm/Brontok.X
    ClamAV: Worm.Brontok.H
    Dr. Web: Win32.HLLM.Generic.440
    F-PROT: W32/Brontok.C.gen!Eldorado (generic, not disinfectable)
    Trend Micro: TROJ_SPNR.03I211
    Microsoft: Worm:Win32/Brontok.BO@mm
    G Data: Win32.Brontok.ND
    Kaspersky Lab: Email-Worm.Win32.Brontok.q
    Bitdefender: Win32.Brontok.ND
    ESET: Win32/Brontok.CH worm
  • Files
    The following copies of itself are created:
    • %WINDIR%\ShellNew\RakyatKelaparan.exe
    • %SYSDIR%\cmd-brontok.exe
    • %WINDIR%\KesenjanganSosial.exe
    • %USERPROFILE%\Local Settings\Application Data\smss.exe
    • %USERPROFILE%\Local Settings\Application Data\br5931on.exe
    • %USERPROFILE%\Local Settings\Application Data\services.exe
    • %USERPROFILE%\Local Settings\Application Data\lsass.exe
    • %USERPROFILE%\Local Settings\Application Data\inetinfo.exe
    • %USERPROFILE%\Local Settings\Application Data\csrss.exe
    • %WINDIR%\ShellNew\RakyatKelaparan.exe
    • %SYSDIR%\cmd-brontok.exe
    • %WINDIR%\KesenjanganSosial.exe
    • %USERPROFILE%\Local Settings\Application Data\br5931on.exe
    • %USERPROFILE%\Local Settings\Application Data\services.exe
    • %USERPROFILE%\Local Settings\Application Data\lsass.exe
    • %USERPROFILE%\Local Settings\Application Data\inetinfo.exe
    • %USERPROFILE%\Local Settings\Application Data\csrss.exe
    • %USERPROFILE%\Local Settings\Application Data\winlogon.exe
    • %WINDIR%\ShellNew\RakyatKelaparan.exe
    • %SYSDIR%\cmd-brontok.exe
    • %WINDIR%\KesenjanganSosial.exe
    • %USERPROFILE%\Local Settings\Application Data\br5931on.exe
    • %USERPROFILE%\Local Settings\Application Data\services.exe
    • %USERPROFILE%\Local Settings\Application Data\lsass.exe
    • %USERPROFILE%\Local Settings\Application Data\inetinfo.exe
    • %USERPROFILE%\Local Settings\Application Data\csrss.exe
    • %USERPROFILE%\Start Menu\Programs\Startup\Empty.pif
    • %USERPROFILE%\Templates\10044-NendangBro.com
    • %SYSDIR%\%USERNAME%'s Setting.scr
    • %WINDIR%\ShellNew\RakyatKelaparan.exe
    • %SYSDIR%\cmd-brontok.exe
    • %WINDIR%\KesenjanganSosial.exe
    • %USERPROFILE%\Local Settings\Application Data\br5931on.exe
    • %USERPROFILE%\Local Settings\Application Data\lsass.exe
    • %USERPROFILE%\Local Settings\Application Data\inetinfo.exe
    • %USERPROFILE%\Local Settings\Application Data\csrss.exe
    • %WINDIR%\ShellNew\RakyatKelaparan.exe
    • %SYSDIR%\cmd-brontok.exe
    • %WINDIR%\KesenjanganSosial.exe
    • %USERPROFILE%\Local Settings\Application Data\br5931on.exe
    • %USERPROFILE%\Local Settings\Application Data\inetinfo.exe
    • %USERPROFILE%\Local Settings\Application Data\csrss.exe
    • %WINDIR%\ShellNew\RakyatKelaparan.exe
    • %SYSDIR%\cmd-brontok.exe
    • %WINDIR%\KesenjanganSosial.exe
    • %USERPROFILE%\Local Settings\Application Data\br5931on.exe
    • %USERPROFILE%\Local Settings\Application Data\csrss.exe
    • %SYSDIR%\drivers\etc\hosts-Denied By-%USERNAME%.com
    The following files are changed:
    • %DISKDRIVE%\AUTOEXEC.BAT
    • %temporary internet files%\Content.IE5\index.dat
    • %USERPROFILE%\Cookies\index.dat
    • %USERPROFILE%\Local Settings\History\History.IE5\index.dat
    The following files are deleted:
    • %TEMPDIR%\~DFE85D.tmp
    • %TEMPDIR%\~DFD2DE.tmp
    • %SYSDIR%\drivers\etc\hosts-Denied By-%USERNAME%.com
    • %TEMPDIR%\~DF275.tmp
    The following files are created:
    • %TEMPDIR%\~DFE85D.tmp
    • %TEMPDIR%\~DFD2DE.tmp
    • %TEMPDIR%\~DF275.tmp
  • Registry
    The following registry entries are added:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
    • HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings ("ProxyEnable": dword:00000000)
  • HTTP Requests
    • www.*****eb.com/News/cmbrotlu3/IN16QGROQGRO.css
    • www.*****eb.com/News/cmbrotlu3/Host16.css

Help make the web safer by sending us suspicious files/URLs to analyze

Submit your file/URL or Go to Avira Answers

Why submit a suspicious file?

If you encountered a suspicious file or website that’s not in our database, we’ll analyze it and determine whether it’s harmful. Our findings are then pushed out to our millions of users with their next virus database update. If you have Avira, you’ll get that update too. Don’t have Avira? Get it on our homepage.

What’s Avira Answers?

It’s our thriving community of technical professionals and part-time experts, working together to help solve tech problems. It’s the perfect place to pose your question to a community of fellow Avira users.