Descrizione completa

Nume:	Worm/Brontok.N.1
Descoperit pe data de:	25/03/2006
Tip:	Vierme
ITW:	Nu
Numar infectii raportate:	Scazut
Potential de raspandire:	Mediu
Potential de distrugere:	Mediu
Fisier static:	Da
Marime:	43.520 Bytes
MD5:	077fc28e71343d70bf08958b641be113
Versiune VDF:	6.34.00.97 - sabato 25 marzo 2006
Versiune IVDF:	6.34.00.97 - sabato 25 marzo 2006

General Metoda de raspandire:
   • Email

Alias:
   • Symantec: W32.Rontokbro.U@mm
   • Kaspersky: Email-Worm.Win32.Brontok.n
   • TrendMicro: WORM_RONTOKBR.AT
   • Sophos: W32/Brontok-AE
   • Bitdefender: Win32.Brontok.AF@mm

Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Blocheaza accesul la anumite website-uri
   • Blocheaza accesul la website-uri ale firmelor de securitate
   • Inchide aplicatiile de securitate
   • Descarca fisiere
   • Utilizeaza propriul motor de email
   • Reduce setarile de securitate
   • Modificari in registri

Imediat dupa lansarea in executie, pe ecran este afisat:

Fisiere Se copiaza in urmatoarele locatii:
   • %HOME%\Local Settings\Application Data\dv%cateva cifre aleatoare%x\yesbron.com
   • %SYSDIR%\c_%cateva cifre aleatoare%k.com
   • %SYSDIR%\n%cateva cifre aleatoare%\csrss.exe
   • %SYSDIR%\n%cateva cifre aleatoare%\smss.exe
   • %SYSDIR%\n%cateva cifre aleatoare%\winlogon.exe
   • %SYSDIR%\n%cateva cifre aleatoare%\services.exe
   • %SYSDIR%\n%cateva cifre aleatoare%\sv%cateva cifre aleatoare%.exe
   • %SYSDIR%\n%cateva cifre aleatoare%\b%cateva cifre aleatoare%.exe
   • %SYSDIR%\n%cateva cifre aleatoare%\ib%cateva cifre aleatoare%.exe
   • %WINDIR%\j%cateva cifre aleatoare%.exe
   • %WINDIR%\o%cateva cifre aleatoare%.exe
   • %WINDIR%\_default%cateva cifre aleatoare%.pif
   • %HOME%\Local Settings\Application Data\jalak-%cateva cifre aleatoare%-bali.com

Creeaza urmatoarele directoare:
   • %SYSDIR%\n%cateva cifre aleatoare%
   • %SYSDIR%\n%cateva cifre aleatoare%\Spread.Mail.Bro
   • %SYSDIR%\n%cateva cifre aleatoare%\Spread.Sent.Bro
   • %HOME%\Local Settings\Application Data\dv%cateva cifre aleatoare%x

Sunt create fisierele:

– Fisiere care contin adrese de email:
   • %SYSDIR%\n%cateva cifre aleatoare%\Spread.Mail.Bro\%adrese de email culese din sistem%.ini
   • %SYSDIR%\n%cateva cifre aleatoare%\Spread.Sent.Bro\%adrese de email culese din sistem%.ini

– Fisiere temporare care pot fi sterse dupa aceea:
   • %SYSDIR%\n%cateva cifre aleatoare%\domlist.txt
   • %SYSDIR%\n%cateva cifre aleatoare%\getdomlist.txt

– %radacina partitiei Windows%\Baca Bro !!!.txt Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • BRONTOK.C[22]
     Sedikit Jawaban u/ Membungkam Mulut Sesumbar 'MEREKA'.
     Nobron = Satria Dungu = Nothing !!!
     Romdil = Tukang Jiplak = Nothing !!!
     Nobron & Romdil -->> Kicked by The Amazing Brontok
     [ By JowoBot ]

– %SYSDIR%\n%cateva cifre aleatoare%\c.bron.tok.txt Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • Brontok.C
     By:JowoBot

– %WINDIR%\tasks\at1.job Fisierul este o activitate programata care ruleaza malware-ul la ore predefinite.
– %WINDIR%\tasks\at2.job Fisierul este o activitate programata care ruleaza malware-ul la ore predefinite.

Incearca sa descarce cateva fisiere:

– Adresa este urmatoarea:
   • http://www.net4free.org/Arts/bddwyrk/**********
Fisierul este stocat pe hard disc la: %SYSDIR%\n%cateva cifre aleatoare%\sv%cateva cifre aleatoare%r.exeupi22xbm.ini

– Adresa este urmatoarea:
   • http://debuging.com/WS1/cgi/**********
Fisierul este stocat pe hard disc la: %SYSDIR%\n%cateva cifre aleatoare%\svt%numar%sj.tok

Registrii sistemului Urmatoarea cheie este adaugata in registri pentru a rula procesul la repornirea sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "A%cateva cifre aleatoare%r"="%WINDIR%\j%cateva cifre aleatoare%.exe"

Valorile urmatoarelor chei sunt sterse din registrii sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • Adie Suka Kamu
   • Adie Strio X
   • SysYuni
   • SysDiaz
   • Sys_Romantic-Devil.R
   • SysRia
   • Pluto
   • DllHost
   • iExplorer
   • lExplorer
   • dkernel.exe
   • dkernel
   • Security
   • local service
   • SymRun
   • OSA
   • ccapp
   • CCAPPS
   • LoadServices
   • LoadService
   • MsPatch
   • Bron-Spizaetus-
   • Bron-Spizaetus-4713XPPM

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • Tok-Cirrhatus
   • Tok-Cirrhatus-%cateva cifre aleatoare%adrc
   • Tok-Cirrhatus-%cateva cifre aleatoare%

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   • NoFolderOptions

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
   run]
   • Tok-Cirrhatus-%cateva cifre aleatoare%adrc
   • brl

Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
   run]
   • "y%cateva cifre aleatoare%adr"="%user settings%\Application Data\dv%cateva cifre aleatoare%x\yesbron.com"

– [HKCU\Software\Brontok]
   • "Version"="Brontok.C[22]"
   • "Developer"="JowoBot
   • VM Community"
   • "Released"="09-03-06"
   • "Message"=Look @ "C:\Baca Bro !!!.txt"
   • "Dedicated 2"="Spizaetus Cirrhatus"

Urmatoarele chei din registri sunt modificate:

Dezactivarea programelor Regedit si Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   Vechea valoare:
   • "DisableRegistryTools"=%setarile utilizatorului%
   Noua valoare:
   • "DisableRegistryTools"=dword:00000001

Diverse setari in Explorer:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Vechea valoare:
   • "Hidden"=%setarile utilizatorului%
   • "HideFileExt"=%setarile utilizatorului%
   • "ShowSuperHidden"=%setarile utilizatorului%
   Noua valoare:
   • "Hidden"=dword:00000000
   • "HideFileExt"=dword:00000001
   • "ShowSuperHidden"=dword:00000000

– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]
   Vechea valoare:
   • "AlternateShell"="cmd.exe"
   Noua valoare:
   • "AlternateShell"="c_%cateva cifre aleatoare%k.com"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Vechea valoare:
   • "Shell"="Explorer.exe"
     "Userinit"="%SYSDIR%\userinit.exe"
   Noua valoare:
   • "Shell"=Explorer.exe "%WINDIR%\o%cateva cifre aleatoare%.exe"
     "Userinit"="%SYSDIR%\userinit.exe,%WINDIR%\j%cateva cifre aleatoare%.exe"

Email Are un motor SMTP integrat. Va fi facuta o conexiune directa cu serverul destinatar. Iata caracteristicile lui:

De la:
Expeditorul email-ului este unul din urmatorii:
   • jennifer_sh@%domeniul destinatarului din adresa de email%
   • angelina_ph@%domeniul destinatarului din adresa de email%

Catre:
– Adrese de email gasite pe sistem.
– Adrese generate

Subiect:
Unul din urmatoarele:
   • My Best Photo
   • Fotoku yg Paling Cantik

Corpul email-ului:
Corpul email-ului este unul din textele:

   • I want to share my photo with you.
     Wishing you all the best.
     Regards,

   • Aku lg iseng aja pengen kirim foto ke kamu.
     Jangan lupain aku ya !.
     Thanks,

Atasament:
Fisierul nu contine o copie ci chiar un alt malware. Descriere: TR/Dldr.Small.coc.1

Numele fisierului atasat este urmatorul:
   • Picture.zip

Email-ul arata astfel:

Email Cautare adrese:
Cauta adrese de email in urmatoarele fisiere:
   • PPT; XLS; CFM; PHP; ASP; WAB; EML; CSV; HTML; HTM; DOC; TXT

Adrese evitate:
Nu trimite email-uri la adrese care contin unul din urmatoarele siruri de caractere:
   • BILLING@; INFO@; CONTOH; EXAMPLE; SMTP; XXX; TEST; NETWORK; SOURCE;
      PROGRAM; WWW; ASDF; SOME; YOUR; BLAH; SPAM; SOFT; PANDA; NORMAN;
      NORTON; ASSOCIATE; SYMANTEC; SECURITY; CILLIN; GRISOFT; AVG; LINUX;
      CRACK; HACK; VIRUS; MICROSOFT; MASTER; SUPPORT; SECURE; UPDATE;
      DEVELOP; VAKSIN; SATU; EMAILKU; BOLEH; GAUL; ASTAGA; .WEB.ID; .AC.ID;
      .OR.ID; .NET.ID; .SCH.ID; .MIL.ID; .GO.ID; .CO.ID; INDO; TELKOM; PLASA


Server MX:
Se poate conecta la unul dintre serverele MX:
   • ns1.
   • mail.
   • smtp.

Fisiere host Fisierul

– In acest caz, inregistrarile existente sunt sterse.

– Accesul la urmatoarele domenii este blocat:
   • mcafee.com; www.mcafee.com; mcafee.net; www.mcafee.net; mcafee.org;
      www.mcafee.org; mcafeesecurity.com; www.mcafeesecurity.com;
      mcafeesecurity.net; www.mcafeesecurity.net; mcafeesecurity.org;
      www.mcafeesecurity.org; mcafeeb2b.com; www.mcafeeb2b.com;
      mcafeeb2b.net; www.mcafeeb2b.net; mcafeeb2b.org; www.mcafeeb2b.org;
      nai.com; www.nai.com; nai.net; www.nai.net; nai.org; www.nai.org;
      vil.nai.com; www.vil.nai.com; vil.nai.net; www.vil.nai.net;
      vil.nai.org; www.vil.nai.org; grisoft.com; www.grisoft.com;
      grisoft.net; www.grisoft.net; grisoft.org; www.grisoft.org;
      kaspersky-labs.com; www.kaspersky-labs.com; kaspersky-labs.net;
      www.kaspersky-labs.net; kaspersky-labs.org; www.kaspersky-labs.org;
      kaspersky.com; www.kaspersky.com; kaspersky.net; www.kaspersky.net;
      kaspersky.org; www.kaspersky.org; downloads1.kaspersky-labs.com;
      www.downloads1.kaspersky-labs.com; downloads1.kaspersky-labs.net;
      www.downloads1.kaspersky-labs.net; downloads1.kaspersky-labs.org;
      www.downloads1.kaspersky-labs.org; downloads2.kaspersky-labs.com;
      www.downloads2.kaspersky-labs.com; downloads2.kaspersky-labs.net;
      www.downloads2.kaspersky-labs.net; downloads2.kaspersky-labs.org;
      www.downloads2.kaspersky-labs.org; downloads3.kaspersky-labs.com;
      www.downloads3.kaspersky-labs.com; downloads3.kaspersky-labs.net;
      www.downloads3.kaspersky-labs.net; downloads3.kaspersky-labs.org;
      www.downloads3.kaspersky-labs.org; downloads4.kaspersky-labs.com;
      www.downloads4.kaspersky-labs.com; downloads4.kaspersky-labs.net;
      www.downloads4.kaspersky-labs.net; downloads4.kaspersky-labs.org;
      www.downloads4.kaspersky-labs.org; download.mcafee.com;
      www.download.mcafee.com; download.mcafee.net; www.download.mcafee.net;
      download.mcafee.org; www.download.mcafee.org; norton.com;
      www.norton.com; norton.net; www.norton.net; norton.org;
      www.norton.org; symantec.com; www.symantec.com; symantec.net;
      www.symantec.net; symantec.org; www.symantec.org;
      liveupdate.symantecliveupdate.com;
      www.liveupdate.symantecliveupdate.com;
      liveupdate.symantecliveupdate.net;
      www.liveupdate.symantecliveupdate.net;
      liveupdate.symantecliveupdate.org;
      www.liveupdate.symantecliveupdate.org; liveupdate.symantec.com;
      www.liveupdate.symantec.com; liveupdate.symantec.net;
      www.liveupdate.symantec.net; liveupdate.symantec.org;
      www.liveupdate.symantec.org; update.symantec.com;
      www.update.symantec.com; update.symantec.net; www.update.symantec.net;
      update.symantec.org; www.update.symantec.org;
      securityresponse.symantec.com; www.securityresponse.symantec.com;
      securityresponse.symantec.net; www.securityresponse.symantec.net;
      securityresponse.symantec.org; www.securityresponse.symantec.org;
      sarc.com; www.sarc.com; sarc.net; www.sarc.net; sarc.org;
      www.sarc.org; vaksin.com; www.vaksin.com; vaksin.net; www.vaksin.net;
      vaksin.org; www.vaksin.org; forum.vaksin.com; www.forum.vaksin.com;
      forum.vaksin.net; www.forum.vaksin.net; forum.vaksin.org;
      www.forum.vaksin.org; norman.com; www.norman.com; norman.net;
      www.norman.net; norman.org; www.norman.org; trendmicro.com;
      www.trendmicro.com; trendmicro.net; www.trendmicro.net;
      trendmicro.org; www.trendmicro.org; trendmicro-europe.com;
      www.trendmicro-europe.com; trendmicro-europe.net;
      www.trendmicro-europe.net; trendmicro-europe.org;
      www.trendmicro-europe.org; ae.trendmicro-europe.com;
      www.ae.trendmicro-europe.com; ae.trendmicro-europe.net;
      www.ae.trendmicro-europe.net; ae.trendmicro-europe.org;
      www.ae.trendmicro-europe.org; it.trendmicro-europe.com;
      www.it.trendmicro-europe.com; it.trendmicro-europe.net;
      www.it.trendmicro-europe.net; it.trendmicro-europe.org;
      www.it.trendmicro-europe.org; secunia.com; www.secunia.com;
      secunia.net; www.secunia.net; secunia.org; www.secunia.org;
      winantivirus.com; www.winantivirus.com; winantivirus.net;
      www.winantivirus.net; winantivirus.org; www.winantivirus.org;
      pandasoftware.com; www.pandasoftware.com; pandasoftware.net;
      www.pandasoftware.net; pandasoftware.org; www.pandasoftware.org;
      esafe.com; www.esafe.com; esafe.net; www.esafe.net; esafe.org;
      www.esafe.org; f-secure.com; www.f-secure.com; f-secure.net;
      www.f-secure.net; f-secure.org; www.f-secure.org; europe.f-secure.com;
      www.europe.f-secure.com; europe.f-secure.net; www.europe.f-secure.net;
      europe.f-secure.org; www.europe.f-secure.org; bhs.com; www.bhs.com;
      bhs.net; www.bhs.net; bhs.org; www.bhs.org; datafellows.com;
      www.datafellows.com; datafellows.net; www.datafellows.net;
      datafellows.org; www.datafellows.org; cheyenne.com; www.cheyenne.com;
      cheyenne.net; www.cheyenne.net; cheyenne.org; www.cheyenne.org;
      ontrack.com; www.ontrack.com; ontrack.net; www.ontrack.net;
      ontrack.org; www.ontrack.org; sands.com; www.sands.com; sands.net;
      www.sands.net; sands.org; www.sands.org; sophos.com; www.sophos.com;
      sophos.net; www.sophos.net; sophos.org; www.sophos.org; icubed.com;
      www.icubed.com; icubed.net; www.icubed.net; icubed.org;
      www.icubed.org; perantivirus.com; www.perantivirus.com;
      perantivirus.net; www.perantivirus.net; perantivirus.org;
      www.perantivirus.org; castlecops.com; www.castlecops.com;
      castlecops.net; www.castlecops.net; castlecops.org;
      www.castlecops.org; virustotal.com; www.virustotal.com;
      virustotal.net; www.virustotal.net; virustotal.org;
      www.virustotal.org; free-av.com; www.free-av.com; free-av.net;
      www.free-av.net; free-av.org; www.free-av.org; antivirus.com;
      www.antivirus.com; antivirus.net; www.antivirus.net; antivirus.org;
      www.antivirus.org; anti-virus.com; www.anti-virus.com; anti-virus.net;
      www.anti-virus.net; anti-virus.org; www.anti-virus.org; ca.com;
      www.ca.com; ca.net; www.ca.net; ca.org; www.ca.org; fajarweb.com;
      www.fajarweb.com; fajarweb.net; www.fajarweb.net; fajarweb.org;
      www.fajarweb.org; jasakom.com; www.jasakom.com; jasakom.net;
      www.jasakom.net; jasakom.org; www.jasakom.org; backup.grisoft.com;
      www.backup.grisoft.com; backup.grisoft.net; www.backup.grisoft.net;
      backup.grisoft.org; www.backup.grisoft.org; infokomputer.com;
      www.infokomputer.com; infokomputer.net; www.infokomputer.net;
      infokomputer.org; www.infokomputer.org; playboy.com; www.playboy.com;
      playboy.net; www.playboy.net; playboy.org; www.playboy.org;
      sex-mission.com; www.sex-mission.com; sex-mission.net;
      www.sex-mission.net; sex-mission.org; www.sex-mission.org;
      pornstargals.com; www.pornstargals.com; pornstargals.net;
      www.pornstargals.net; pornstargals.org; www.pornstargals.org;
      kaskus.com; www.kaskus.com; kaskus.net; www.kaskus.net; kaskus.org;
      www.kaskus.org; 17tahun.com; www.17tahun.com; 17tahun.net;
      www.17tahun.net; 17tahun.org; www.17tahun.org; padinet.com;
      www.padinet.com; padinet.net; www.padinet.net; padinet.org;
      www.padinet.org; jeruk.padinet.com; www.jeruk.padinet.com;
      jeruk.padinet.net; www.jeruk.padinet.net; jeruk.padinet.org;
      www.jeruk.padinet.org; compactbyte.com; www.compactbyte.com;
      compactbyte.net; www.compactbyte.net; compactbyte.org;
      www.compactbyte.org; blog.compactbyte.com; www.blog.compactbyte.com;
      blog.compactbyte.net; www.blog.compactbyte.net; blog.compactbyte.org;
      www.blog.compactbyte.org; blogs.compactbyte.com;
      www.blogs.compactbyte.com; blogs.compactbyte.net;
      www.blogs.compactbyte.net; blogs.compactbyte.org;
      www.blogs.compactbyte.org

Fisierul hosts modificat va arata astfel:

Terminarea proceselor Procesele care contin urmatoarele siruri de caractere sunt oprite:
   • ahnlab; peid; nod32; hijack; sysinter; aladdin; panda; trend; cillin;
      mcaf; avast; bitdef; machine; movzx; kill; washer; remove; wscript;
      diary; untukmu; kangen; sstray; Alicia; Mariana; Dian; foto; zlh;
      Anti; mspatch; siti; virus; services.com; ctfmon; nopdb; opscan;
      vptray; update; lexplorer; iexplorer; nipsvc; njeeves; cclaw; nvcoas;
      aswupdsv; ashmaisv; systray; riyani; xpshare; syslove; tskmgr; ccapps;
      ash; avg; poproxy; mcv

Sunt inchise procesele care au titlul ferestri unul din urmatoarele:
   • peid; task view; telanjang; bugil; cewe; naked; porn; sex; alwil;
      wintask; folder option; b.e; worm; trojan; avira; windows script;
      commander; pc-media; killer; ertanto; anti; CLEANER; REMOVER; PROCESS
      EXP; SYSINTERNAL; killbox; scheduled task; computer management;
      cmd.exe; group policy; system configuration; command prompt; registry;
      baca bro !!!; task manager; google.com; up22ngk

Detaliile fisierului Limbaj de programare:
Limbaj de programare folosit: C (compilat cu Microsoft Visual C++).

Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Descrizione inserita da Adriana Popa su martedì 25 luglio 2006
Descrizione aggiornata da Andrei Gherman su mercoledì 26 luglio 2006

Indietro . . . .

La migliore protezione per PC

Prodotti gratuiti

I prodotti piu conosciuti

Tutti i prodotti

Soluzioni unificate

Postazioni lavoro

Server

Soluzioni unificate

Mail Gateways

Web Gateways

Piattaforme di collaborazione

Per utenti privati

Per aziende

Virus Lab

Ulteriore supporto

Diventa un Partner di Avira

Per utenti privati

Per aziende

Desideri provare un prodotto?

Manuali e Strumenti