English
Deutsch
Francais
Español
Italian
Home
Virus Info
Worm/Brontok.W.A
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
Worm/Brontok.W.A - Worm
In alte limbi
Scurta descriere
Descriere completa
Statistici
How would you rate this information?
Worthless
Excellent
Nume:
Worm/Brontok.W.A
Descoperit pe data de:
21/08/2006
Tip:
Vierme
ITW:
Nu
Numar infectii raportate:
Scazut
Potential de raspandire:
Mediu
Potential de distrugere:
Scazut spre mediu
Fisier static:
Da
Marime:
98.304 Bytes
MD5:
892f49387317b9cf8a70dad3595db4e3
Versiune VDF:
6.36.00.51
Versiune IVDF:
6.36.00.62
General
Metoda de raspandire:
• Reteaua locala
Alias:
• Symantec: Hacktool.Spammer
• Kaspersky: Email-Worm.Win32.Brontok.w
• F-Secure: Email-Worm.Win32.Brontok.w
• Sophos: W32/Brontok-BO
• Grisoft: SpamTool.GW
• Bitdefender: Win32.Brontok.AM@mm
Initial identificat ca:
• SPR/Spam.VB.aqn
Sistem de operare:
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Efecte secundare:
• Creeaza fisiere
• Reduce setarile de securitate
• Modificari in registri
Fisiere
Se copiaza in urmatoarele locatii:
•
%WINDIR%
\Kr0n1C.exe
• C:\Kr0n1C.exe
•
%SYSDIR%
\shell.exe
•
%SYSDIR%
\MrHelloween.scr
•
%SYSDIR%
\IExplorer.exe
• %ALLUSERSPROFILE%\Start Menu\Programs\Startup\Empty.pif
•
%home%
\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
•
%home%
\Local Settings\Application Data\WINDOWS\CSRSS.EXE
•
%home%
\Local Settings\Application Data\WINDOWS\SERVICES.EXE
•
%home%
\Local Settings\Application Data\WINDOWS\LSASS.EXE
•
%home%
\Local Settings\Application Data\WINDOWS\SMSS.EXE
• C:\Kr0n1C\New Folder.exe
• C:\Data
%numele utilizatorului curent%
.exe
• C:\Data LocalService.exe
•
%directorul curent%
\
%numele directorului curent%
.exe
Creeaza urmatorul director:
• C:\Kr0n1C
Sunt create fisierele:
– C:\Puisi.txt Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
• Kr0n1C
Tertatihku Meratap Perih
Insan Hidup Terasa Mati
Dan Bahagiapun Sirna Seiring Waktu
Hanya Sepi Yang Mengisi Sendi - Sendi Kehidupanku
Ini Semua Karena Dirimu
Yang Selalu Mengiris Hatiku
Hari Ini Aku Tetap Menanti
Hadirmu Walau Hanya Mimpi
Dan Kini Telah Kusadari
Dirimu Hanya Ingin Menyakitiku
Hadirmu Hanya Akan Binasakanku
Saat Ini Dan Sampai Alam Yang Abadi
Cyber.nu
–
%WINDIR%
\msvbvm60.dll
–
%SYSDIR%
\msvbvm60.dll
– C:\Kr0n1C\Folder.htt
– C:\desktop.ini
Registrii sistemului
Urmatoarele chei sunt adaugate in registri pentru a rula procesul la repornirea sistemului:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "Kr0n1C"="
%WINDIR%
\Kr0n1C.exe"
• "Service
%numele utilizatorului curent%
"="
%home%
\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
• "MSMSGS"="
%home%
\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "Logon
%numele utilizatorului curent%
"="
%home%
\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
• "System Monitoring"="
%home%
\Local Settings\Application Data\WINDOWS\LSASS.EXE"
• "LogonLocalService"="
%home%
\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
Urmatoarele chei din registri sunt modificate:
– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]
Vechea valoare:
• "AlternateShell"="cmd.exe"
Noua valoare:
• "AlternateShell"="
%WINDIR%
\Kr0n1C.exe"
– [HKCR\comfile\shell\open\command]
Vechea valoare:
• @="%1" %*
Noua valoare:
• @="
%SYSDIR%
\shell.exe" "%1" %*"
– [HKCR\batfile\shell\open\command]
Vechea valoare:
• @="%1" %*
Noua valoare:
• @="
%SYSDIR%
\shell.exe" "%1" %*"
– [HKCR\piffile\shell\open\command]
Vechea valoare:
• @="%1" %*
Noua valoare:
• @="
%SYSDIR%
\shell.exe" "%1" %*"
– [HKCR\lnkfile\shell\open\command]
Vechea valoare:
• @="%1" %*
Noua valoare:
• @="
%SYSDIR%
\shell.exe" "%1" %*"
– [HKCR\exefile\shell\open\command]
Vechea valoare:
• @="%1" %*
Noua valoare:
• @="
%SYSDIR%
\shell.exe" "%1" %*"
– [HKCR\exefile]
Vechea valoare:
• @="Application"
Noua valoare:
• @="File Folder"
Diverse setari in Explorer:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
Vechea valoare:
• "Hidden"=
%setarile utilizatorului%
• "HideFileExt"=
%setarile utilizatorului%
• "ShowSuperHidden"=
%setarile utilizatorului%
Noua valoare:
• "Hidden"=dword:00000000
• "HideFileExt"=dword:00000001
• "ShowSuperHidden"=dword:00000000
– [HKCU\Control Panel\Desktop]
Vechea valoare:
• "SCRNSAVE.EXE"=
%setarile utilizatorului%
• "ScreenSaverIsSecure"=
%setarile utilizatorului%
Noua valoare:
• "SCRNSAVE.EXE"="
%SYSDIR%
\MRHELL~1.SCR"
• "ScreenSaverIsSecure"="0"
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Vechea valoare:
• "Shell"="Explorer.exe"
• "Userinit"="
%SYSDIR%
\userinit.exe"
Noua valoare:
• "Shell"="Explorer.exe "
%SYSDIR%
\IExplorer.exe""
• "Userinit"="
%SYSDIR%
\userinit.exe,
%SYSDIR%
\IExplorer.exe"
Diverse setari in Explorer:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Vechea valoare:
• "NoFolderOptions"=
%setarile utilizatorului%
Noua valoare:
• "NoFolderOptions"=dword:00000001
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug]
Vechea valoare:
• "Auto"="1"
• "Debugger"="drwtsn32 -p %ld -e %ld -g"
Noua valoare:
• "Auto"="1"
• "Debugger"="
%SYSDIR%
\Shell.exe"
Dezactivarea programelor Regedit si Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
Vechea valoare:
• "DisableCMD"=
%setarile utilizatorului%
• "DisableTaskMgr"=
%setarile utilizatorului%
• "DisableRegistryTools"=
%setarile utilizatorului%
Noua valoare:
• "DisableCMD"=dword:00000001
• "DisableTaskMgr"=dword:00000001
• "DisableRegistryTools"=dword:00000001
– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
Vechea valoare:
• "DisableConfig"=
%setarile utilizatorului%
• "DisableSR"=
%setarile utilizatorului%
Noua valoare:
• "DisableConfig"=dword:00000001
• "DisableSR"=dword:00000001
– [HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer]
Noua valoare:
• "LimitSystemRestoreCheckpointing"=dword:00000001
• "DisableMSI"=dword:00000001
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
CabinetState]
Noua valoare:
• "FullPath"=dword:00000001
Terminarea proceselor
Processes containing the following window title (ro)
• TASK; REG; ASM; DBG; W32; PROC; WALK; REST; AVS; OPTIONS; ANTI; VIRUS;
RegEdit; Registry Editor; Folder Options; Local Settings
Detaliile fisierului
Limbaj de programare:
Limbaj de programare folosit: Visual Basic.
Pentru o descriere scurta click
aici
.
Descriere introdusa de Adriana Popa la Tue, 19 Sep 2006 13:53 (GMT+1)
Descriere actualizata de Adriana Popa la Fri, 22 Sep 2006 12:52 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
Worm/Mytob.U
Worm/Netsky.J
Worm/Mytob.AT
Worm/Mytob.AD
Worm/Klez.E
BDS/McMaggot.A
Worm/McMaggot.A
HEUR/PDF.Obfuscated
SPR/mIRC.Gen
TR/Crypt.UPKM.Gen
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info Worm/Brontok.W.A
Print this page
.gif)
