Laboratório de vírus Avira

Worm/Brontok.E.1

  • Nome
    Worm/Brontok.E.1
  • Data em que surgiu
    08/10/2015
  • Versão do VDF
    7.11.47.198 (2012-10-26 15:42)

O termo 'WORM' refere-se a um worm que pode se difundido, por exemplo, pela Internet (usando e-mails, redes ponto a ponto, redes IRC etc.).

  • VDF
    7.11.47.198 (2012-10-26 15:42)
  • Alias
    Avast: Win32:Brontok-CE
    AVG: I-Worm/Brontok.X
    ClamAV: Worm.Brontok.H
    Dr. Web: Win32.HLLM.Generic.440
    F-PROT: W32/Brontok.C.gen!Eldorado (generic, not disinfectable)
    Trend Micro: TROJ_SPNR.03I211
    Microsoft: Worm:Win32/Brontok.BO@mm
    G Data: Win32.Brontok.ND
    Kaspersky Lab: Email-Worm.Win32.Brontok.q
    Bitdefender: Win32.Brontok.ND
    ESET: Win32/Brontok.CH worm
  • Arquivos
    As seguintes cópias foram criadas:
    • %WINDIR%\ShellNew\RakyatKelaparan.exe
    • %SYSDIR%\cmd-brontok.exe
    • %WINDIR%\KesenjanganSosial.exe
    • %USERPROFILE%\Local Settings\Application Data\smss.exe
    • %USERPROFILE%\Local Settings\Application Data\br5931on.exe
    • %USERPROFILE%\Local Settings\Application Data\services.exe
    • %USERPROFILE%\Local Settings\Application Data\lsass.exe
    • %USERPROFILE%\Local Settings\Application Data\inetinfo.exe
    • %USERPROFILE%\Local Settings\Application Data\csrss.exe
    • %WINDIR%\ShellNew\RakyatKelaparan.exe
    • %SYSDIR%\cmd-brontok.exe
    • %WINDIR%\KesenjanganSosial.exe
    • %USERPROFILE%\Local Settings\Application Data\br5931on.exe
    • %USERPROFILE%\Local Settings\Application Data\services.exe
    • %USERPROFILE%\Local Settings\Application Data\lsass.exe
    • %USERPROFILE%\Local Settings\Application Data\inetinfo.exe
    • %USERPROFILE%\Local Settings\Application Data\csrss.exe
    • %USERPROFILE%\Local Settings\Application Data\winlogon.exe
    • %WINDIR%\ShellNew\RakyatKelaparan.exe
    • %SYSDIR%\cmd-brontok.exe
    • %WINDIR%\KesenjanganSosial.exe
    • %USERPROFILE%\Local Settings\Application Data\br5931on.exe
    • %USERPROFILE%\Local Settings\Application Data\services.exe
    • %USERPROFILE%\Local Settings\Application Data\lsass.exe
    • %USERPROFILE%\Local Settings\Application Data\inetinfo.exe
    • %USERPROFILE%\Local Settings\Application Data\csrss.exe
    • %USERPROFILE%\Start Menu\Programs\Startup\Empty.pif
    • %USERPROFILE%\Templates\10044-NendangBro.com
    • %SYSDIR%\%USERNAME%'s Setting.scr
    • %WINDIR%\ShellNew\RakyatKelaparan.exe
    • %SYSDIR%\cmd-brontok.exe
    • %WINDIR%\KesenjanganSosial.exe
    • %USERPROFILE%\Local Settings\Application Data\br5931on.exe
    • %USERPROFILE%\Local Settings\Application Data\lsass.exe
    • %USERPROFILE%\Local Settings\Application Data\inetinfo.exe
    • %USERPROFILE%\Local Settings\Application Data\csrss.exe
    • %WINDIR%\ShellNew\RakyatKelaparan.exe
    • %SYSDIR%\cmd-brontok.exe
    • %WINDIR%\KesenjanganSosial.exe
    • %USERPROFILE%\Local Settings\Application Data\br5931on.exe
    • %USERPROFILE%\Local Settings\Application Data\inetinfo.exe
    • %USERPROFILE%\Local Settings\Application Data\csrss.exe
    • %WINDIR%\ShellNew\RakyatKelaparan.exe
    • %SYSDIR%\cmd-brontok.exe
    • %WINDIR%\KesenjanganSosial.exe
    • %USERPROFILE%\Local Settings\Application Data\br5931on.exe
    • %USERPROFILE%\Local Settings\Application Data\csrss.exe
    • %SYSDIR%\drivers\etc\hosts-Denied By-%USERNAME%.com
    Os seguintes arquivos foram alterados:
    • %DISKDRIVE%\AUTOEXEC.BAT
    • %temporary internet files%\Content.IE5\index.dat
    • %USERPROFILE%\Cookies\index.dat
    • %USERPROFILE%\Local Settings\History\History.IE5\index.dat
    Os seguintes arquivos foram excluídos:
    • %TEMPDIR%\~DFE85D.tmp
    • %TEMPDIR%\~DFD2DE.tmp
    • %SYSDIR%\drivers\etc\hosts-Denied By-%USERNAME%.com
    • %TEMPDIR%\~DF275.tmp
    Os seguintes arquivos foram criados:
    • %TEMPDIR%\~DFE85D.tmp
    • %TEMPDIR%\~DFD2DE.tmp
    • %TEMPDIR%\~DF275.tmp
  • Registro
    São adicionadas as seguintes entidades de registro:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
    • HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings ("ProxyEnable": dword:00000000)
  • Pedidos HTTP
    • www.*****eb.com/News/cmbrotlu3/IN16QGROQGRO.css
    • www.*****eb.com/News/cmbrotlu3/Host16.css

Ajude a tornar a rede mais segura enviando-nos arquivos/URLs suspeitos para análise.

Envie o seu arquivo/URL Ou Acesse o Avira Answers

Porque enviar um arquivo suspeito?

Se você encontrou um arquivo ou um website suspeito que não está na nossa base de dados, nós analisaremos e determinaremos se ele é nocivo. As nossas descobertas são, então, enviadas aos nossos milhões de usuários através da próxima atualização da base de dados de vírus. Se você possui o Avira, você obterá essa atualização também. Não possui o Avira? Obtenha-o através do nossa página inicial.

O que é o Avira Answers?

Esta é a nossa próspera comunidade de profissionais técnicos e especialistas a meio período, trabalhando em conjunto para ajudar a resolver os problemas da tecnologia. É o lugar perfeito onde fazer as suas perguntas, em uma comunidade de colegas usuários do Avira.