Need help? Ask the community or hire an expert.
Go to Avira Answers
病毒:Worm/Brontok.Q.4
发现日期:13/12/2012
类型:蠕虫
广泛传播:
病毒传播个案呈报:低程度至中程度
感染/传播能力:低程度至中程度
破坏 / 损害程度:低程度至中程度
静态文件:
文件大小:43.403 字节
MD5 校检和:58256b28851a289ae3be0d78208be33d
VDF 版本:7.11.53.216 - donderdag 13 december 2012
IVDF 版本:7.11.53.216 - donderdag 13 december 2012

 况概描述 传播方法:
   • 电子邮件


别名:
   •  Mcafee: W32/Rontokbro.gen@MM
   •  Kaspersky: Email-Worm.Win32.Brontok.q
   •  Bitdefender: Win32.Generic.5381
   •  Panda: W32/Brontok.L.worm
   •  GData: Win32.Generic.5381


平台/操作系统:
   • Windows 2000
   • Windows XP
   • Windows 2003


副作用:
   • 植入恶意文件
   • 降低系统安全设置
   • 注册表修改

 文件 它将本身复制到以下位置:
   • %HOME%\Local Settings\Application Data\winlogon.exe
   • %HOME%\Local Settings\Application Data\smss.exe
   • %HOME%\Local Settings\Application Data\lsass.exe
   • %WINDIR%\KesenjanganSosial.exe
   • %SYSDIR%\drivers\etc\hosts-Denied By-%当前用户名%.com
   • %SYSDIR%\cmd-brontok.exe
   • %HOME%\Local Settings\Application Data\csrss.exe
   • %HOME%\Start Menu\Programs\Startup\Empty.pif
   • %HOME%\Local Settings\Application Data\services.exe
   • %HOME%\Local Settings\Application Data\inetinfo.exe
   • %HOME%\Templates\Brengkolang.com
   • %WINDIR%\ShellNew\RakyatKelaparan.exe
   • %SYSDIR%\%当前用户名%'s Setting.scr



它会覆盖一个文件。
– C:\autoexec.bat



它会删除其本身最初执行的副本。



创建以下文件:

– %HOME%\Local Settings\Application Data\ListHost15.txt
– %HOME%\Local Settings\Application Data\Update.15.Bron.Tok.bin



它会尝试执行以下文件:

– 文件名:
   • explorer.exe


– 文件名:
   • %HOME%\Local Settings\Application Data\smss.exe


– 文件名:
   • %HOME%\Local Settings\Application Data\winlogon.exe


– 文件名:
   • at /delete /y


– 文件名:
   • at 17:08 /every:M,T,W,Th,F,S,Su "%HOME%\Templates\Brengkolang.com"


– 文件名:
   • %HOME%\Local Settings\Application Data\services.exe


– 文件名:
   • %HOME%\Local Settings\Application Data\lsass.exe


– 文件名:
   • %HOME%\Local Settings\Application Data\inetinfo.exe

 注册表 会添加以下注册表项,以便在系统重新引导后运行进程:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Tok-Cirrhatus"=""
   • "Tok-Cirrhatus-3444"=""%HOME%\Local Settings\Application Data\smss.exe""

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Bron-Spizaetus"=""%WINDIR%\ShellNew\RakyatKelaparan.exe""



会添加以下注册表项目注册值:

– [HKCU\software\microsoft\windows\currentversion\Policies\System]
   • "DisableCMD"=dword:0x00000000
   • "DisableRegistryTools"=dword:0x00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   • "NoFolderOptions"=dword:0x00000001



会更改以下注册表项:

– [HKCU\Software\Microsoft\Internet Explorer\Toolbar]
   新值:
   • "Locked"=dword:0x00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   新值:
   • "Hidden"=dword:0x00000000
   • "HideFileExt"=dword:0x00000001
   • "ShowSuperHidden"=dword:0x00000000

– [HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
   新值:
   • "{01E04581-4EEE-11D0-BFE9-00AA005B4383}"=hex:81,45,E0,01,EE,4E,D0,11,BF,E9,00,AA,00,5B,43,83,10,00,00,00,00,00,00,00,01,E0,32,F4,01,00,00,00

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   新值:
   • "Shell"="Explorer.exe "%WINDIR%\KesenjanganSosial.exe""

– [HKCU\Software\Microsoft\Internet Explorer\Toolbar\Explorer]
   新值:
   • "ITBarLayout"=hex:11,00,00,00,4C,00,00,00,00,00,00,00,34,00,00,00,1B,00,00,00,4E,00,00,00,01,00,00,00,20,07,00,00,A0,0F,00,00,05,00,00,00,62,05,00,00,26,00,00,00,02,00,00,00,21,07,00,00,A0,0F,00,00,04,00,00,00,21,01,00,00,A0,0F,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]
   新值:
   • "AlternateShell"="cmd-brontok.exe"

 电子邮件 它包含集成的 SMTP 引擎,用于发送电子邮件。 将与目标服务器建立直接连接。 下面说明了它的特征:


发件人:
发件地址是仿冒的。


收件人:
– 在系统上的特定文件中找到的电子邮件地址。
– 从 WAB (Windows 通讯簿) 搜集到的电子邮件地址


正文:
– 包含 HTML 代码。


附件:

该附件是恶意软件本身的副本。

 其他 访问 Internet 资源:
   • http://www.geocities.com/sblppt4/**********
   • http://www.geocities.com/sblppt4/**********

 文件详细信息 编程语言:
该恶意软件程序是用 Visual Basic 编写的。


运行时压缩程序:
为了提高检测难度以及减小文件,它已使用运行时压缩程序进行压缩。

Beschrijving ingevoegd door Petre Galan op maandag 18 april 2011
Beschrijving bijgewerkt door Petre Galan op maandag 18 april 2011

Terug . . . .
https:// Dit venster is voor uw veiligheid gecodeerd.