Full description

Nume:	Worm/Brontok.C
Descoperit pe data de:	27/10/2005
Tip:	Vierme
ITW:	Da
Numar infectii raportate:	Mediu
Potential de raspandire:	Mediu spre ridicat
Potential de distrugere:	Mediu
Fisier static:	Nu
Versiune VDF:	6.32.00.109

General Metode de raspandire:
   • Email
   • Reteaua locala

Alias:
   • Symantec: W32.Rontokbro.K@mm
   • TrendMicro: WORM_RONTOKBRO.J
   • Bitdefender: Win32.Brontok.C@mm

Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Blocheaza accesul la website-uri ale firmelor de securitate
   • Descarca fisiere
   • Utilizeaza propriul motor de email
   • Modificari in registri

Dupa activare, ruleaza un program Windows care afiseaza urmatoarea fereastra:

Fisiere Se copiaza in urmatoarele locatii:
   • %WINDIR%\ShellNew\sempalong.exe
   • %WINDIR%\eksplorasi.exe
   • %HOME%\Local Settings\Application Data\smss.exe
   • %HOME%\Local Settings\Application Data\services.exe
   • %HOME%\Local Settings\Application Data\lsass.exe
   • %HOME%\Local Settings\Application Data\inetinfo.exe
   • %HOME%\Local Settings\Application Data\csrss.exe
   • %HOME%\Start Menu\Programs\Startup\Empty.pif
   • %HOME%\Templates\brengkolang.exe
   • %SYSDIR%\%numele utilizatorului curent%'s setting.scr

Suprascrie un fisier.
– %radacina partitiei Windows%\autoexec.bat

Cu urmatorul continut:
   • pause

Este creat fisierul:

– %HOME%\Local Settings\Application Data\Kosong.Bron.Tok.txt Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • Brontok.A
     By: HVM31
     -- JowoBot
     VM Community --

Registrii sistemului Urmatoarele chei sunt adaugate in registri pentru a rula procesul la repornirea sistemului:

– [HKLM\software\microsoft\windows\currentversion\run]
   • "Bron-Spizaetus" = ""c:\winows\ShellNew\sempalong.exe""

– [HKCU\software\microsoft\windows\currentversion\run]
   • "Tok-Cirrhatus" = "c:\Documents and Settings\UserLocal Settings\Application Data\smss.exe"

Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKCU\software\microsoft\windows\currentversion\Policies\System]
   • "DisableCMD" = dword:00000000
   • "DisableRegistryTools" = dword:00000001

– [HKCU\software\microsoft\windows\currentversion\Policies\Explorer]
   • "NoFolderOptions" = dword:00000001

Urmatoarele chei din registri sunt modificate:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Vechea valoare:
   • "Shell" = "Explorer.exe"
   Noua valoare:
   • "Shell" = "Explorer.exe "c:\winows\eksplorasi.exe""

– [HKCU\software\microsoft\windows\currentversion\explorer\advanced]
   Vechea valoare:
   • "ShowSuperHidden" = %setarile utilizatorului%
   • "HideFileExt" = %setarile utilizatorului%
   • "Hidden" = %setarile utilizatorului%
   Noua valoare:
   • "ShowSuperHidden" = dword:00000000
   • "HideFileExt" = dword:00000001
   • "Hidden" = dword:00000000

Email Cautare adrese:
Cauta adrese de email in urmatoarele fisiere:
   • .HTML; .TXT; .EML; .WAB; .ASP; .PHP; .CFM; .CSV; .DOC; .XLS; .PDF;
      .PPT; .HTT

Adrese evitate:
Nu trimite email-uri la adrese care contin unul din urmatoarele siruri de caractere:
   • .VBS; DOMAIN; HIDDEN; DEMO; DEVELOP; FOO@; KOMPUTER; SENIOR; DARK;
      BLACK; BLEEP; FEEDBACK; IBM.; INTEL.; MACRO; ADOBE; FUCK; RECIPIENT;
      SERVER; PROXY; ZEND; ZDNET; CNET; DOWNLOAD; HP.; XEROX; CANON;
      SERVICE; ARCHIEVE; NETSCAPE; MOZILLA; OPERA; NOVELL; NEWS; UPDATE;
      RESPONSE; OVERTURE; GROUP; GATEWAY; RELAY; ALERT; SEKUR; CISCO; LOTUS;
      MICRO; TREND; SIEMENS; FUJITSU; NOKIA; W3.; NVIDIA; APACHE; MYSQL;
      POSTGRE; SUN.; GOOGLE; SPERSKY; ZOMBIE; ADMIN; AVIRA; AVAST; TRUST;
      ESAVE; ESAFE; PROTECT; ALADDIN; ALERT; BUILDER; DATABASE; AHNLAB;
      PROLAND; ESCAN; HAURI; NOD32; SYBARI; ANTIGEN; ROBOT; ALWIL; YAHOO;
      COMPUSE; COMPUTE; SECUN; SPYW; REGIST; FREE; BUG; MATH; LAB; IEEE;
      KDE; TRACK; INFORMA; FUJI; @MAC; SLACK; REDHA; SUSE; BUNTU; XANDROS;
      @ABC; @123; LOOKSMART; SYNDICAT; ELEKTRO; ELECTRO; NASA; LUCENT;
      TELECOM; STUDIO; SIERRA; USERNAME; IPTEK; CLICK; SALES; PROMO

Fisiere host Fisierul

– In acest caz, inregistrarile existente sunt sterse.

– Accesul la urmatoarele domenii este blocat:
   • mcafee.com; www.mcafee.com; mcafeesecurity.com;
      www.mcafeesecurity.com; mcafeeb2b.com; www.mcafeeb2b.com; nai.com;
      www.nai.com; vil.nai.com; grisoft.com; www.grisoft.com;
      kaspersky-labs.com; www.kaspersky-labs.com; kaspersky.com;
      www.kaspersky.com; downloads1.kaspersky-labs.com;
      downloads2.kaspersky-labs.com; downloads3.kaspersky-labs.com;
      downloads4.kaspersky-labs.com; download.mcafee.com; grisoft.cz;
      www.grisoft.cz; norton.com; www.norton.com; symantec.com;
      www.symantec.com; liveupdate.symantecliveupdate.com;
      liveupdate.symantec.com; update.symantec.com;
      securityresponse.symantec.com; sarc.com; www.sarc.com; vaksin.com;
      www.vaksin.com; norman.com; www.norman.com; trendmicro.com;
      www.trendmicro.com; trendmicro.co.jp; www.trendmicro.co.jp;
      trendmicro-europe.com; www.trendmicro-europe.com;
      ae.trendmicro-europe.com; it.trendmicro-europe.com; secunia.com;
      www.secunia.com; winantivirus.com; www.winantivirus.com;
      pandasoftware.com; www.pandasoftware.com; esafe.com; www.esafe.com;
      f-secure.com; www.f-secure.com; europe.f-secure.com; bhs.com;
      www.bhs.com; datafellows.com; www.datafellows.com; cheyenne.com;
      www.cheyenne.com; ontrack.com; www.ontrack.com; sands.com;
      www.sands.com; sophos.com; www.sophos.com; icubed.com; www.icubed.com;
      perantivirus.com; www.perantivirus.com; virusalert.nl;
      www.virusalert.nl; pagina.nl; www.pagina.nl; antivirus.pagina.nl;
      castlecops.com; www.castlecops.com; virustotal.com; www.virustotal.com

Fisierul hosts modificat va arata astfel:

DoS (Denial of Service) Imediat ce devine activ, porneste un atac DoS asupra urmatoarelor destinatii:
• http://kaskus.com
• http://17tahun.com

Alte informatii Metode anti-debugging
Verifica daca programele care ruleaza contin unul din urmatoarele siruri de caractere:
   • REGISTRY
   • SYSTEM CONFIGURATION
   • COMMAND PROMPT
   • .EXE
   • SHUT DOWN
   • SCRIPT HOST
   • LOG OFF WINDOWS
   • KILLBOX
   • TASKKILL
   • TASK KILL
   • HIJACK
   • BLEEPING

Detaliile fisierului Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Descrição enviada por Andrei Gherman em sexta-feira, 28 de outubro de 2005
Descrição atualizada por Andrei Gherman em sexta-feira, 20 de junho de 2008

Voltar . . . .

Proteçao especial para PCs

Produtos gratuitos

Produtos mais populares

Todos os produtos

Soluçoes em pacote

Estaçoes de trabalho

Server

Soluçoes em pacote

Mail Gateways

Web Gateways

Plataformas de colaboraçao

Usuários domésticos

Empresas

Laboratório de vírus

Mais suporte

Seja um parceiro Avira

Usuários domésticos

Empresas

Deseja apenas experimentar um produto?

Manuais e ferramentas