Virus:Worm/Brontok.a
Date discovered:14/10/2005
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:Yes
File size:42.065 Bytes
MD5 checksum:c51a426d90af0Cdcb97c10bb4ea12696
VDF version:6.32.00.84

 General Method of propagation:
   • Email
   • Peer to Peer


Aliases:
   •  Symantec: W32.Rontokbro@mm
   •  Kaspersky: Email-Worm.Win32.Brontok.q
   •  TrendMicro: WORM_RONTKBR.B
   •  Grisoft: I-Worm/VB.GG
   •  VirusBuster: I-Worm.Brontok.CU
   •  Eset: Win32/Brontok.T
   •  Bitdefender: Win32.Brontok.AO@mm


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Uses its own Email engine
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %WINDIR%\ShellNew\RakyatKelaparan.exe
   • %SYSDIR%\cmd-brontok.exe
   • %SYSDIR%\%current username%'s Setting.scr
   • %WINDIR%\KesenjanganSosial.exe
   • %HOME%\Local Settings\Application Data\smss.exe
   • %HOME%\Local Settings\Application Data\br%four-digit random character string%on.exe
   • %HOME%\Local Settings\Application Data\services.exe
   • %HOME%\Local Settings\Application Data\inetinfo.exe
   • %HOME%\Local Settings\Application Data\csrss.exe
   • %HOME%\Local Settings\Application Data\lsass.exe
   • %HOME%\Local Settings\Application Data\IDTemplate.exe
   • %HOME%\Templates\%five-digit random character string%-NendangBro.com
   • %SYSDIR%\drivers\etc\hosts-Denied By-%current username%.com



It deletes the following file:
   • %SYSDIR%\drivers\etc\hosts-Denied By-%current username%.com



The following files are created:

– %HOME%\Local Settings\Application Data\Loc.Mail.Bron.Tok\%collected email addresses%.ini This is a non malicious text file with the following content:
   • Brontok.A
     By: HVM31
     -- JowoBot
     VM Community --

%WINDIR%\Tasks\At1.job File is a scheduled task that runs the malware at predefined times.



It tries to download a file:

– The location is the following:
   • www.geocities.com/stabro7ok/**********
At the time of writing this file was not online for further investigation.

 Registry The following registry key is added in order to run the process after reboot:

– HKLM\software\microsoft\windows\currentversion\run
   • "Bron-Spizaetus" = ""%WINDIR%\ShellNew\RakyatKelaparan.exe""

– HKCU\software\microsoft\windows\currentversion\run
   • "Tok-Cirrhatus" = ""
   • "Tok-Cirrhatus-%four-digit random character string%" = ""%HOME%\Local Settings\Application Data\bron%four-digit random character string%on.exe""



The following registry key is added:

– HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
   • "AlternateShell" = "cmd-brontok.exe"



The following registry keys are changed:

Disable Regedit and Task Manager:
– HKCU\software\microsoft\windows\currentversion\Policies\System
   Old value:
   • "DisableCMD" = %user defined settings%
   • "DisableRegistryTools" = %user defined settings%
   New value:
   • "DisableCMD" = dword:00000000
   • "DisableRegistryTools" = dword:00000000

Various Explorer settings:
– HKCU\software\microsoft\windows\currentversion\Policies\Explorer
   Old value:
   • "NoFolderOptions" = %user defined settings%
   New value:
   • "NoFolderOptions" = dword:00000001

Various Explorer settings:
– HKCU\software\microsoft\windows\currentversion\explorer\advanced
   Old value:
   • "ShowSuperHidden" =%user defined settings%
   • "HideFileExt" = %user defined settings%
   • "Hidden" = %user defined settings%
   New value:
   • "ShowSuperHidden" = dword:00000000
   • "HideFileExt" = dword:00000001
   • "Hidden" = dword:00000000

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)


Subject:
The subject line is empty.


Body:
The body of the email is the following:

   • BRONTOK.A[49] [ By: HVM64 -- JowoBot &VM Community ]
      -- Hentikanlah kebobrokan di negeri ini --
     4. Penjarakan Koruptor/ Penyelundup/ Tukang Suap/ ) Bandar NARKOBA
     + Send to %NUSAKAMBANGAN%,
     5. Stop Free Sex/ Aborsi/ ) Prostitusi
+ Go To HELL ,
     6. Stop pencemaran lingkungan/ pembakaran hutan ) perburuan liar.
     7. Stop Pornografi ) Pornoaksi
     8. SAY NO TO DRUGS $$$
      -- KIAMAT SUDAH DEKAT --
      Terinspirasi oleh:
     Elang Brontok +Spi}aetus Cirrhatus, yang hampir punah

      [ By: HVM64 ]
      -- JowoBot &VM Community --
     $$$ Akan Kubuat Mereka +VM lokal yg cengeng ) bodoh, Terkapar $$$


Attachment:
The filename of the attachment is constructed out of the following:

–  It starts with one of the following:
   • PATAH
   • HATI
   • CINTA
   • UNTUKMU
   • DATA-TEMEN
   • RIYANI
   • JANGKARU
   • KANGEN
   • JROX

    Continued by one of the following fake extensions:
   • .doc
   • .xls

    The file extension is one of the following:
   • .exe

The attachment is a copy of the malware itself.

 Mailing Search addresses:
It searches the following files for email addresses:
   • .txt; .eml; .wab; .asp; .php; .cfm; .csv; .doc; .xls; .pdf; .ppt; .htt


Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • DOMAIN; HIDDEN; DEMO; DEVELOP; FOOZ; KOMPUTER; SENIOR; DARK; BLACK;
      BLEEP; FEEDBACK; IBM.; INTEL.; MACRO; ADOBE; FUCK; RECIPIENT; SERVER;
      PROXY; ZEND; ZDNET; CNET; DOWNLOAD; HP.; XEROX; CANON; SERVICE;
      ARCHIEVE; NETSCAPE; MOZILLA; OPERA; NOVELL; NEWS; UPDATE; RESPONSE;
      OVERTURE; GROUP; GATEWAY; RELAY; ALERT; SEKUR; CISCO; LOTUS; MICRO;
      TREND; SIEMENS; FUJITSU; NOKIA; W6.; NVIDIA; APACHE; MYSQL; POSTGRE;
      SUN.; GOOGLE; SPERSKY; ZOMBIE; ADMIN; AVIRA; AVAST; TRUST; ESAVE;
      ESAFE; PROTECT; ALADDIN; ALERT; BUILDER; DATABASE; AHNLAB; PROLAND;
      ESCAN; HAURI; NOD65; SYBARI; ANTIGEN; ROBOT; ALWIL; BROWSE; COMPUSE;
      COMPUTE; SECUN; SPYW; REGIST; FREE; BUG; MATH; LAB; IEEE; KDE; TRACK;
      INFORMA; FUJI; ZMAC; SLACK; REDHA; SUSE; BUNTU; XANDROS; ZABC; Z456;
      LOOKSMART; SYNDICAT; ELEKTRO; ELECTRO; NASA; LUCENT; TELECOM; STUDIO;
      SIERRA; USERNAME; IPTEK; CLICK; SALES; PROMO; PLASA; TELKOM; INDO;
      .CO.ID; .GO.ID; .MIL.ID; .SCH.ID; .NET.ID; .OR.ID; .AC.ID; .WEB.ID;
      .WAR.NET.ID; ASTAGA; GAUL; BOLEH; EMAILKU; SATU


Prepend MX strings:
In order to get the IP address of the mail server it has the ability to prepend the following strings to the domain name:
   • smtp.
   • mail.
   • ns1.

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed: It searches for all shared directories.

   If successful, the following file is created:
   • %all shared folders%.exe

   These files are copies of the malware itself.

 Process termination List of processes that are terminated:
   • mcvsescn.exe; poproxy.exe; avgemc.exe; ccapps.exe; tskmgr.exe;
      syslove.exe; xpshare.exe; riyaniy_jangkaru.exe; systray.exe;
      ashmaisv.exe; aswupdsv.exe; nvcoas.exe; cclaw.exe; njeeves.exe;
      nipsvc.exe

Processes containing one of the following window titles are terminated:
   • REGISTRY; SYSTEM CONFIGURATION; COMMAND PROMPT; SHUT DOWN; SCRIPT
      HOST; LOG OFF WINDOWS; KILLBOX; TASKKILL; TASK KILL; HIJACK; BLEEPING;
      SYSINTERNAL; PROCESS EXP; FAJARWEB; REMOVER; CLEANER; GROUP; POLICY;
      MOVZX


 DoS Right after it becomes active, it starts DoS attacks against the following destinations:
   • kaskus.com
   • tahun.com

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Descripción insertada por Irina Boldea el miércoles, 30 de agosto de 2006
Descripción actualizada por Irina Boldea el miércoles, 6 de septiembre de 2006

Volver . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. Todos los derechos reservados.

Mi Cuenta

https:// Esta ventana está cifrada para su seguridad.