Description complète

Nume:	Worm/Brontok.W.A
Descoperit pe data de:	21/08/2006
Tip:	Vierme
ITW:	Nu
Numar infectii raportate:	Scazut
Potential de raspandire:	Mediu
Potential de distrugere:	Scazut spre mediu
Fisier static:	Da
Marime:	98.304 Bytes
MD5:	892f49387317b9cf8a70dad3595db4e3
Versiune VDF:	6.36.00.51
Versiune IVDF:	6.36.00.62 - mardi 26 septembre 2006

General Metoda de raspandire:
   • Reteaua locala

Alias:
   • Symantec: Hacktool.Spammer
   • Kaspersky: Email-Worm.Win32.Brontok.w
   • F-Secure: Email-Worm.Win32.Brontok.w
   • Sophos: W32/Brontok-BO
   • Grisoft: SpamTool.GW
   • Bitdefender: Win32.Brontok.AM@mm

Initial identificat ca:
   • SPR/Spam.VB.aqn

Sistem de operare:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Creeaza fisiere
   • Reduce setarile de securitate
   • Modificari in registri

Fisiere Se copiaza in urmatoarele locatii:
   • %WINDIR%\Kr0n1C.exe
   • C:\Kr0n1C.exe
   • %SYSDIR%\shell.exe
   • %SYSDIR%\MrHelloween.scr
   • %SYSDIR%\IExplorer.exe
   • %ALLUSERSPROFILE%\Start Menu\Programs\Startup\Empty.pif
   • %HOME%\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
   • %HOME%\Local Settings\Application Data\WINDOWS\CSRSS.EXE
   • %HOME%\Local Settings\Application Data\WINDOWS\SERVICES.EXE
   • %HOME%\Local Settings\Application Data\WINDOWS\LSASS.EXE
   • %HOME%\Local Settings\Application Data\WINDOWS\SMSS.EXE
   • C:\Kr0n1C\New Folder.exe
   • C:\Data %numele utilizatorului curent%.exe
   • C:\Data LocalService.exe
   • %directorul curent%\%numele directorului curent%.exe

Creeaza urmatorul director:
   • C:\Kr0n1C

Sunt create fisierele:

– C:\Puisi.txt Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • Kr0n1C

     Tertatihku Meratap Perih
     Insan Hidup Terasa Mati
     Dan Bahagiapun Sirna Seiring Waktu
     Hanya Sepi Yang Mengisi Sendi - Sendi Kehidupanku

     Ini Semua Karena Dirimu
     Yang Selalu Mengiris Hatiku

     Hari Ini Aku Tetap Menanti
     Hadirmu Walau Hanya Mimpi

     Dan Kini Telah Kusadari
     Dirimu Hanya Ingin Menyakitiku
     Hadirmu Hanya Akan Binasakanku
     Saat Ini Dan Sampai Alam Yang Abadi


      Cyber.nu

– %WINDIR%\msvbvm60.dll
– %SYSDIR%\msvbvm60.dll
– C:\Kr0n1C\Folder.htt
– C:\desktop.ini

Registrii sistemului Urmatoarele chei sunt adaugate in registri pentru a rula procesul la repornirea sistemului:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Kr0n1C"="%WINDIR%\Kr0n1C.exe"
   • "Service%numele utilizatorului curent%"="%HOME%\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
   • "MSMSGS"="%HOME%\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Logon%numele utilizatorului curent%"="%HOME%\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
   • "System Monitoring"="%HOME%\Local Settings\Application Data\WINDOWS\LSASS.EXE"
   • "LogonLocalService"="%HOME%\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

Urmatoarele chei din registri sunt modificate:

– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]
   Vechea valoare:
   • "AlternateShell"="cmd.exe"
   Noua valoare:
   • "AlternateShell"="%WINDIR%\Kr0n1C.exe"

– [HKCR\comfile\shell\open\command]
   Vechea valoare:
   • @="%1" %*
   Noua valoare:
   • @="%SYSDIR%\shell.exe" "%1" %*"

– [HKCR\batfile\shell\open\command]
   Vechea valoare:
   • @="%1" %*
   Noua valoare:
   • @="%SYSDIR%\shell.exe" "%1" %*"

– [HKCR\piffile\shell\open\command]
   Vechea valoare:
   • @="%1" %*
   Noua valoare:
   • @="%SYSDIR%\shell.exe" "%1" %*"

– [HKCR\lnkfile\shell\open\command]
   Vechea valoare:
   • @="%1" %*
   Noua valoare:
   • @="%SYSDIR%\shell.exe" "%1" %*"

– [HKCR\exefile\shell\open\command]
   Vechea valoare:
   • @="%1" %*
   Noua valoare:
   • @="%SYSDIR%\shell.exe" "%1" %*"

– [HKCR\exefile]
   Vechea valoare:
   • @="Application"
   Noua valoare:
   • @="File Folder"

Diverse setari in Explorer:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Vechea valoare:
   • "Hidden"=%setarile utilizatorului%
   • "HideFileExt"=%setarile utilizatorului%
   • "ShowSuperHidden"=%setarile utilizatorului%
   Noua valoare:
   • "Hidden"=dword:00000000
   • "HideFileExt"=dword:00000001
   • "ShowSuperHidden"=dword:00000000

– [HKCU\Control Panel\Desktop]
   Vechea valoare:
   • "SCRNSAVE.EXE"=%setarile utilizatorului%
   • "ScreenSaverIsSecure"=%setarile utilizatorului%
   Noua valoare:
   • "SCRNSAVE.EXE"="%SYSDIR%\MRHELL~1.SCR"
   • "ScreenSaverIsSecure"="0"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Vechea valoare:
   • "Shell"="Explorer.exe"
   • "Userinit"="%SYSDIR%\userinit.exe"
   Noua valoare:
   • "Shell"="Explorer.exe "%SYSDIR%\IExplorer.exe""
   • "Userinit"="%SYSDIR%\userinit.exe,%SYSDIR%\IExplorer.exe"

Diverse setari in Explorer:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   Vechea valoare:
   • "NoFolderOptions"=%setarile utilizatorului%
   Noua valoare:
   • "NoFolderOptions"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug]
   Vechea valoare:
   • "Auto"="1"
   • "Debugger"="drwtsn32 -p %ld -e %ld -g"
   Noua valoare:
   • "Auto"="1"
   • "Debugger"="%SYSDIR%\Shell.exe"

Dezactivarea programelor Regedit si Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   Vechea valoare:
   • "DisableCMD"=%setarile utilizatorului%
   • "DisableTaskMgr"=%setarile utilizatorului%
   • "DisableRegistryTools"=%setarile utilizatorului%
   Noua valoare:
   • "DisableCMD"=dword:00000001
   • "DisableTaskMgr"=dword:00000001
   • "DisableRegistryTools"=dword:00000001

– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   Vechea valoare:
   • "DisableConfig"=%setarile utilizatorului%
   • "DisableSR"=%setarile utilizatorului%
   Noua valoare:
   • "DisableConfig"=dword:00000001
   • "DisableSR"=dword:00000001

– [HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer]
   Noua valoare:
   • "LimitSystemRestoreCheckpointing"=dword:00000001
   • "DisableMSI"=dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
   CabinetState]
   Noua valoare:
   • "FullPath"=dword:00000001

Terminarea proceselor Sunt inchise procesele care au titlul ferestri unul din urmatoarele:
• TASK; REG; ASM; DBG; W32; PROC; WALK; REST; AVS; OPTIONS; ANTI; VIRUS;
RegEdit; Registry Editor; Folder Options; Local Settings

Detaliile fisierului Limbaj de programare:
Limbaj de programare folosit: Visual Basic.

Description insérée par Adriana Popa le mardi 19 septembre 2006
Description mise à jour par Adriana Popa le vendredi 22 septembre 2006

Retour . . . .

Protection avancée pour votre PC

Produits gratuits

Les plus populaires

Tous les produits

Offres groupées

Stations de travail

Server

Offres groupées

Mail Gateways

Web Gateways

Plateformes collaboratives

Particuliers

Entreprises

Virus Lab

Support avancé

Programme Avira Partner

Particuliers

Entreprises

Une simple évaluation vous suffit ?

Manuels et outils