Precisa de ajuda? Peça à comunidade ou contrate um perito.
Acesse a Avira Answers
VrusWorm/Brontok.N.1
Data em que surgiu:25/03/2006
Tipo:Worm
Includo na lista "In The Wild"No
Nvel de danos:Baixo
Nvel de distribuio:Mdio
Nvel de risco:Mdio
Ficheiro esttico:Sim
Tamanho:43.520 Bytes
MD5 checksum:077fc28e71343d70bf08958b641be113
Verso VDF:6.34.00.97 - sábado, 25 de março de 2006
Verso IVDF:6.34.00.97 - sábado, 25 de março de 2006

 Vulgarmente Meio de transmisso:
   • E-mail


Alias:
   •  Symantec: W32.Rontokbro.U@mm
   •  Kaspersky: Email-Worm.Win32.Brontok.n
   •  TrendMicro: WORM_RONTOKBR.AT
   •  Sophos: W32/Brontok-AE
   •  Bitdefender: Win32.Brontok.AF@mm


Sistemas Operativos:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Efeitos secundrios:
   • Bloqueia o acesso a determinados Web sites
   • Bloqueia o acesso a Web sites de segurana
   • Desactiva aplicaes de segurana
   • Descarrega ficheiros
   • Utiliza o seu prprio motor de E-mail
   • Baixa as definies de segurana
   • Altera o registo do Windows


Logo a seguir a ser visualizada a seguinte informao:



 Ficheiros Autocopia-se para as seguintes localizaes
   • %HOME%\Local Settings\Application Data\dv%vrios dgitos aleatrios%x\yesbron.com
   • %SYSDIR%\c_%vrios dgitos aleatrios%k.com
   • %SYSDIR%\n%vrios dgitos aleatrios%\csrss.exe
   • %SYSDIR%\n%vrios dgitos aleatrios%\smss.exe
   • %SYSDIR%\n%vrios dgitos aleatrios%\winlogon.exe
   • %SYSDIR%\n%vrios dgitos aleatrios%\services.exe
   • %SYSDIR%\n%vrios dgitos aleatrios%\sv%vrios dgitos aleatrios%.exe
   • %SYSDIR%\n%vrios dgitos aleatrios%\b%vrios dgitos aleatrios%.exe
   • %SYSDIR%\n%vrios dgitos aleatrios%\ib%vrios dgitos aleatrios%.exe
   • %WINDIR%\j%vrios dgitos aleatrios%.exe
   • %WINDIR%\o%vrios dgitos aleatrios%.exe
   • %WINDIR%\_default%vrios dgitos aleatrios%.pif
   • %HOME%\Local Settings\Application Data\jalak-%vrios dgitos aleatrios%-bali.com



Cria as seguintes pastas:
   • %SYSDIR%\n%vrios dgitos aleatrios%
   • %SYSDIR%\n%vrios dgitos aleatrios%\Spread.Mail.Bro
   • %SYSDIR%\n%vrios dgitos aleatrios%\Spread.Sent.Bro
   • %HOME%\Local Settings\Application Data\dv%vrios dgitos aleatrios%x



So criados os seguintes ficheiros:

– Ficheiros que contm uma coleco de endereos de email
   • %SYSDIR%\n%vrios dgitos aleatrios%\Spread.Mail.Bro\%endereo de e-mail recolhidos%.ini
   • %SYSDIR%\n%vrios dgitos aleatrios%\Spread.Sent.Bro\%endereo de e-mail recolhidos%.ini

– Ficheiros temporrios que poderam ser apagados mais tarde:
   • %SYSDIR%\n%vrios dgitos aleatrios%\domlist.txt
   • %SYSDIR%\n%vrios dgitos aleatrios%\getdomlist.txt

%raiz da unidade de sistema%\Baca Bro !!!.txt um ficheiro de texto no malicioso com o seguinte contedo:
   • BRONTOK.C[22]
     Sedikit Jawaban u/ Membungkam Mulut Sesumbar 'MEREKA'.
     Nobron = Satria Dungu = Nothing !!!
     Romdil = Tukang Jiplak = Nothing !!!
     Nobron & Romdil -->> Kicked by The Amazing Brontok
     [ By JowoBot ]

%SYSDIR%\n%vrios dgitos aleatrios%\c.bron.tok.txt um ficheiro de texto no malicioso com o seguinte contedo:
   • Brontok.C
     By:JowoBot

%WINDIR%\tasks\at1.job Tarefa agendada que executa o malware em horrios predefinidos.
%WINDIR%\tasks\at2.job Tarefa agendada que executa o malware em horrios predefinidos.



Tenta efectuar o download de alguns ficheiros:

A partir da seguinte localizao:
   • http://www.net4free.org/Arts/bddwyrk/**********
Encontra-se no disco rgido: %SYSDIR%\n%vrios dgitos aleatrios%\sv%vrios dgitos aleatrios%r.exeupi22xbm.ini

A partir da seguinte localizao:
   • http://debuging.com/WS1/cgi/**********
Encontra-se no disco rgido: %SYSDIR%\n%vrios dgitos aleatrios%\svt%nmero% sj.tok

 Registry (Registo do Windows)  adicionado o seguinte valor ao registo do Windows de forma a que o processo seja executado depois do computador ser reiniciado:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "A%vrios dgitos aleatrios%r"="%WINDIR%\j%vrios dgitos aleatrios%.exe"



Os valores das seguintes chaves registo do windows so eliminados:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • Adie Suka Kamu
   • Adie Strio X
   • SysYuni
   • SysDiaz
   • Sys_Romantic-Devil.R
   • SysRia
   • Pluto
   • DllHost
   • iExplorer
   • lExplorer
   • dkernel.exe
   • dkernel
   • Security
   • local service
   • SymRun
   • OSA
   • ccapp
   • CCAPPS
   • LoadServices
   • LoadService
   • MsPatch
   • Bron-Spizaetus-
   • Bron-Spizaetus-4713XPPM

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • Tok-Cirrhatus
   • Tok-Cirrhatus-%vrios dgitos aleatrios%adrc
   • Tok-Cirrhatus-%vrios dgitos aleatrios%

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   • NoFolderOptions

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
   run]
   • Tok-Cirrhatus-%vrios dgitos aleatrios%adrc
   • brl



So adicionadas as seguintes chaves ao registo:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
   run]
   • "y%vrios dgitos aleatrios%adr"="%user settings%\Application Data\dv%vrios dgitos aleatrios%x\yesbron.com"

[HKCU\Software\Brontok]
   • "Version"="Brontok.C[22]"
   • "Developer"="JowoBot
   • VM Community"
   • "Released"="09-03-06"
   • "Message"=Look @ "C:\Baca Bro !!!.txt"
   • "Dedicated 2"="Spizaetus Cirrhatus"



Altera as seguintes chaves de registo do Windows:

Home page do Internet Explorer:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   Valor anterior:
   • "DisableRegistryTools"=%definies do utilizador %
   Valor recente:
   • "DisableRegistryTools"=dword:00000001

Desactiva o Regedit e o Gestor de Tarefas:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Valor anterior:
   • "Hidden"=%definies do utilizador %
   • "HideFileExt"=%definies do utilizador %
   • "ShowSuperHidden"=%definies do utilizador %
   Valor recente:
   • "Hidden"=dword:00000000
   • "HideFileExt"=dword:00000001
   • "ShowSuperHidden"=dword:00000000

[HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]
   Valor anterior:
   • "AlternateShell"="cmd.exe"
   Valor recente:
   • "AlternateShell"="c_%vrios dgitos aleatrios%k.com"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Valor anterior:
   • "Shell"="Explorer.exe"
     "Userinit"="%SYSDIR%\userinit.exe"
   Valor recente:
   • "Shell"=Explorer.exe "%WINDIR%\o%vrios dgitos aleatrios%.exe"
     "Userinit"="%SYSDIR%\userinit.exe,%WINDIR%\j%vrios dgitos aleatrios%.exe"

 E-mail Tem um motor SMTP integrado para enviar emails. criada uma ligao directa com o servidor de destino. Tem as seguintes caractersticas:


De:
O remetente do e-mail um dos seguintes:
   • jennifer_sh@%nome de domnio do endereo de e-mail do destinatrio%
   • angelina_ph@%nome de domnio do endereo de e-mail do destinatrio%


Para:
– Endereos de email encontrados em determinados ficheiros no sistema.
– Endereos gerados


Assunto:
Um dos seguintes:
   • My Best Photo
   • Fotoku yg Paling Cantik



Corpo:
O corpo do email um dos seguintes:

   • I want to share my photo with you.
     Wishing you all the best.
     Regards,

   • Aku lg iseng aja pengen kirim foto ke kamu.
     Jangan lupain aku ya !.
     Thanks,


Atalho:
O contedo do ficheiro no uma cpia de si prprio mas de outro malware. Uma descrio pode ser encontrada aqui: TR/Dldr.Small.coc.1

O ficheiro de atalho tem o seguinte nome:
   • Picture.zip



O email pode ser parecido com o seguinte:


 Mailing Pesquisa endereos:
Procura endereos de email nos seguintes ficheiros:
   • PPT; XLS; CFM; PHP; ASP; WAB; EML; CSV; HTML; HTM; DOC; TXT


Endereos evitados:
No envia emails para endereos com os seguintes blocos de texto:
   • BILLING@; INFO@; CONTOH; EXAMPLE; SMTP; XXX; TEST; NETWORK; SOURCE;
      PROGRAM; WWW; ASDF; SOME; YOUR; BLAH; SPAM; SOFT; PANDA; NORMAN;
      NORTON; ASSOCIATE; SYMANTEC; SECURITY; CILLIN; GRISOFT; AVG; LINUX;
      CRACK; HACK; VIRUS; MICROSOFT; MASTER; SUPPORT; SECURE; UPDATE;
      DEVELOP; VAKSIN; SATU; EMAILKU; BOLEH; GAUL; ASTAGA; .WEB.ID; .AC.ID;
      .OR.ID; .NET.ID; .SCH.ID; .MIL.ID; .GO.ID; .CO.ID; INDO; TELKOM; PLASA
      


MX Server:
Tem capacidade para contactar um dos seguintes servidores MX:
   • ns1.
   • mail.
   • smtp.

 Hospedeiros O ficheiro hospedeiro sofre as seguintes alteraes:

Neste caso valores existentes sero alterados.

O acesso aos seguintes domnios bloqueado:
   • mcafee.com; www.mcafee.com; mcafee.net; www.mcafee.net; mcafee.org;
      www.mcafee.org; mcafeesecurity.com; www.mcafeesecurity.com;
      mcafeesecurity.net; www.mcafeesecurity.net; mcafeesecurity.org;
      www.mcafeesecurity.org; mcafeeb2b.com; www.mcafeeb2b.com;
      mcafeeb2b.net; www.mcafeeb2b.net; mcafeeb2b.org; www.mcafeeb2b.org;
      nai.com; www.nai.com; nai.net; www.nai.net; nai.org; www.nai.org;
      vil.nai.com; www.vil.nai.com; vil.nai.net; www.vil.nai.net;
      vil.nai.org; www.vil.nai.org; grisoft.com; www.grisoft.com;
      grisoft.net; www.grisoft.net; grisoft.org; www.grisoft.org;
      kaspersky-labs.com; www.kaspersky-labs.com; kaspersky-labs.net;
      www.kaspersky-labs.net; kaspersky-labs.org; www.kaspersky-labs.org;
      kaspersky.com; www.kaspersky.com; kaspersky.net; www.kaspersky.net;
      kaspersky.org; www.kaspersky.org; downloads1.kaspersky-labs.com;
      www.downloads1.kaspersky-labs.com; downloads1.kaspersky-labs.net;
      www.downloads1.kaspersky-labs.net; downloads1.kaspersky-labs.org;
      www.downloads1.kaspersky-labs.org; downloads2.kaspersky-labs.com;
      www.downloads2.kaspersky-labs.com; downloads2.kaspersky-labs.net;
      www.downloads2.kaspersky-labs.net; downloads2.kaspersky-labs.org;
      www.downloads2.kaspersky-labs.org; downloads3.kaspersky-labs.com;
      www.downloads3.kaspersky-labs.com; downloads3.kaspersky-labs.net;
      www.downloads3.kaspersky-labs.net; downloads3.kaspersky-labs.org;
      www.downloads3.kaspersky-labs.org; downloads4.kaspersky-labs.com;
      www.downloads4.kaspersky-labs.com; downloads4.kaspersky-labs.net;
      www.downloads4.kaspersky-labs.net; downloads4.kaspersky-labs.org;
      www.downloads4.kaspersky-labs.org; download.mcafee.com;
      www.download.mcafee.com; download.mcafee.net; www.download.mcafee.net;
      download.mcafee.org; www.download.mcafee.org; norton.com;
      www.norton.com; norton.net; www.norton.net; norton.org;
      www.norton.org; symantec.com; www.symantec.com; symantec.net;
      www.symantec.net; symantec.org; www.symantec.org;
      liveupdate.symantecliveupdate.com;
      www.liveupdate.symantecliveupdate.com;
      liveupdate.symantecliveupdate.net;
      www.liveupdate.symantecliveupdate.net;
      liveupdate.symantecliveupdate.org;
      www.liveupdate.symantecliveupdate.org; liveupdate.symantec.com;
      www.liveupdate.symantec.com; liveupdate.symantec.net;
      www.liveupdate.symantec.net; liveupdate.symantec.org;
      www.liveupdate.symantec.org; update.symantec.com;
      www.update.symantec.com; update.symantec.net; www.update.symantec.net;
      update.symantec.org; www.update.symantec.org;
      securityresponse.symantec.com; www.securityresponse.symantec.com;
      securityresponse.symantec.net; www.securityresponse.symantec.net;
      securityresponse.symantec.org; www.securityresponse.symantec.org;
      sarc.com; www.sarc.com; sarc.net; www.sarc.net; sarc.org;
      www.sarc.org; vaksin.com; www.vaksin.com; vaksin.net; www.vaksin.net;
      vaksin.org; www.vaksin.org; forum.vaksin.com; www.forum.vaksin.com;
      forum.vaksin.net; www.forum.vaksin.net; forum.vaksin.org;
      www.forum.vaksin.org; norman.com; www.norman.com; norman.net;
      www.norman.net; norman.org; www.norman.org; trendmicro.com;
      www.trendmicro.com; trendmicro.net; www.trendmicro.net;
      trendmicro.org; www.trendmicro.org; trendmicro-europe.com;
      www.trendmicro-europe.com; trendmicro-europe.net;
      www.trendmicro-europe.net; trendmicro-europe.org;
      www.trendmicro-europe.org; ae.trendmicro-europe.com;
      www.ae.trendmicro-europe.com; ae.trendmicro-europe.net;
      www.ae.trendmicro-europe.net; ae.trendmicro-europe.org;
      www.ae.trendmicro-europe.org; it.trendmicro-europe.com;
      www.it.trendmicro-europe.com; it.trendmicro-europe.net;
      www.it.trendmicro-europe.net; it.trendmicro-europe.org;
      www.it.trendmicro-europe.org; secunia.com; www.secunia.com;
      secunia.net; www.secunia.net; secunia.org; www.secunia.org;
      winantivirus.com; www.winantivirus.com; winantivirus.net;
      www.winantivirus.net; winantivirus.org; www.winantivirus.org;
      pandasoftware.com; www.pandasoftware.com; pandasoftware.net;
      www.pandasoftware.net; pandasoftware.org; www.pandasoftware.org;
      esafe.com; www.esafe.com; esafe.net; www.esafe.net; esafe.org;
      www.esafe.org; f-secure.com; www.f-secure.com; f-secure.net;
      www.f-secure.net; f-secure.org; www.f-secure.org; europe.f-secure.com;
      www.europe.f-secure.com; europe.f-secure.net; www.europe.f-secure.net;
      europe.f-secure.org; www.europe.f-secure.org; bhs.com; www.bhs.com;
      bhs.net; www.bhs.net; bhs.org; www.bhs.org; datafellows.com;
      www.datafellows.com; datafellows.net; www.datafellows.net;
      datafellows.org; www.datafellows.org; cheyenne.com; www.cheyenne.com;
      cheyenne.net; www.cheyenne.net; cheyenne.org; www.cheyenne.org;
      ontrack.com; www.ontrack.com; ontrack.net; www.ontrack.net;
      ontrack.org; www.ontrack.org; sands.com; www.sands.com; sands.net;
      www.sands.net; sands.org; www.sands.org; sophos.com; www.sophos.com;
      sophos.net; www.sophos.net; sophos.org; www.sophos.org; icubed.com;
      www.icubed.com; icubed.net; www.icubed.net; icubed.org;
      www.icubed.org; perantivirus.com; www.perantivirus.com;
      perantivirus.net; www.perantivirus.net; perantivirus.org;
      www.perantivirus.org; castlecops.com; www.castlecops.com;
      castlecops.net; www.castlecops.net; castlecops.org;
      www.castlecops.org; virustotal.com; www.virustotal.com;
      virustotal.net; www.virustotal.net; virustotal.org;
      www.virustotal.org; free-av.com; www.free-av.com; free-av.net;
      www.free-av.net; free-av.org; www.free-av.org; antivirus.com;
      www.antivirus.com; antivirus.net; www.antivirus.net; antivirus.org;
      www.antivirus.org; anti-virus.com; www.anti-virus.com; anti-virus.net;
      www.anti-virus.net; anti-virus.org; www.anti-virus.org; ca.com;
      www.ca.com; ca.net; www.ca.net; ca.org; www.ca.org; fajarweb.com;
      www.fajarweb.com; fajarweb.net; www.fajarweb.net; fajarweb.org;
      www.fajarweb.org; jasakom.com; www.jasakom.com; jasakom.net;
      www.jasakom.net; jasakom.org; www.jasakom.org; backup.grisoft.com;
      www.backup.grisoft.com; backup.grisoft.net; www.backup.grisoft.net;
      backup.grisoft.org; www.backup.grisoft.org; infokomputer.com;
      www.infokomputer.com; infokomputer.net; www.infokomputer.net;
      infokomputer.org; www.infokomputer.org; playboy.com; www.playboy.com;
      playboy.net; www.playboy.net; playboy.org; www.playboy.org;
      sex-mission.com; www.sex-mission.com; sex-mission.net;
      www.sex-mission.net; sex-mission.org; www.sex-mission.org;
      pornstargals.com; www.pornstargals.com; pornstargals.net;
      www.pornstargals.net; pornstargals.org; www.pornstargals.org;
      kaskus.com; www.kaskus.com; kaskus.net; www.kaskus.net; kaskus.org;
      www.kaskus.org; 17tahun.com; www.17tahun.com; 17tahun.net;
      www.17tahun.net; 17tahun.org; www.17tahun.org; padinet.com;
      www.padinet.com; padinet.net; www.padinet.net; padinet.org;
      www.padinet.org; jeruk.padinet.com; www.jeruk.padinet.com;
      jeruk.padinet.net; www.jeruk.padinet.net; jeruk.padinet.org;
      www.jeruk.padinet.org; compactbyte.com; www.compactbyte.com;
      compactbyte.net; www.compactbyte.net; compactbyte.org;
      www.compactbyte.org; blog.compactbyte.com; www.blog.compactbyte.com;
      blog.compactbyte.net; www.blog.compactbyte.net; blog.compactbyte.org;
      www.blog.compactbyte.org; blogs.compactbyte.com;
      www.blogs.compactbyte.com; blogs.compactbyte.net;
      www.blogs.compactbyte.net; blogs.compactbyte.org;
      www.blogs.compactbyte.org




O ficheiro hospedeiro (alterado) ter a seguinte aparncia:


 Terminar o processo So terminados os processos com um dos seguintes textos:
   • ahnlab; peid; nod32; hijack; sysinter; aladdin; panda; trend; cillin;
      mcaf; avast; bitdef; machine; movzx; kill; washer; remove; wscript;
      diary; untukmu; kangen; sstray; Alicia; Mariana; Dian; foto; zlh;
      Anti; mspatch; siti; virus; services.com; ctfmon; nopdb; opscan;
      vptray; update; lexplorer; iexplorer; nipsvc; njeeves; cclaw; nvcoas;
      aswupdsv; ashmaisv; systray; riyani; xpshare; syslove; tskmgr; ccapps;
      ash; avg; poproxy; mcv

So terminados os processos que contm um dos titulos seguintes:
   • peid; task view; telanjang; bugil; cewe; naked; porn; sex; alwil;
      wintask; folder option; b.e; worm; trojan; avira; windows script;
      commander; pc-media; killer; ertanto; anti; CLEANER; REMOVER; PROCESS
      EXP; SYSINTERNAL; killbox; scheduled task; computer management;
      cmd.exe; group policy; system configuration; command prompt; registry;
      baca bro !!!; task manager; google.com; up22ngk
      


 Detalhes do ficheiro Linguagem de programao:
O programa de malware est escrito em MS Visual C++.


Empacotador de Runtime:
De forma a agravar a deteco e reduzir o tamanho do ficheiro lanado com um empacotador de runtime.

Descrição enviada por Adriana Popa em terça-feira, 25 de julho de 2006
Descrição atualizada por Andrei Gherman em quarta-feira, 26 de julho de 2006

Voltar . . . .
https:// Esta janela é criptografada para sua segurança.