Need help? Ask the community or hire an expert.
Go to Avira Answers
病毒:Worm/Brontok.C
发现日期:13/12/2012
类型:蠕虫
广泛传播:
病毒传播个案呈报:中等程度
感染/传播能力:中等程度至高程度
破坏 / 损害程度:中等程度
静态文件:
VDF 版本:7.11.53.216 - 13 Aralık 2012 Perşembe
IVDF 版本:7.11.53.216 - 13 Aralık 2012 Perşembe

 况概描述 传播方法:
   • 电子邮件
   • 局域网络


别名:
   •  Symantec: W32.Rontokbro.K@mm
   •  TrendMicro: WORM_RONTOKBRO.J
   •  Bitdefender: Win32.Brontok.C@mm


平台/操作系统:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


副作用:
   • 阻止对安全网站的访问
   • 下载文件
   • 使用自置的电子邮件引擎
   • 注册表修改


执行完毕之后,它会立即运行 Windows 应用程序以显示以下窗口:


 文件 它将本身复制到以下位置:
   • %WINDIR%\ShellNew\sempalong.exe
   • %WINDIR%\eksplorasi.exe
   • %HOME%\Local Settings\Application Data\smss.exe
   • %HOME%\Local Settings\Application Data\services.exe
   • %HOME%\Local Settings\Application Data\lsass.exe
   • %HOME%\Local Settings\Application Data\inetinfo.exe
   • %HOME%\Local Settings\Application Data\csrss.exe
   • %HOME%\Start Menu\Programs\Startup\Empty.pif
   • %HOME%\Templates\brengkolang.exe
   • %SYSDIR%\%当前用户名%'s setting.scr



它会覆盖一个文件。
%系统驱动器根目录%\autoexec.bat

具有以下内容:
   • pause




创建以下文件:

– %HOME%\Local Settings\Application Data\Kosong.Bron.Tok.txt 这是一个无恶意的文本文件,包含以下内容:
   • Brontok.A
     By: HVM31
     -- JowoBot
     VM Community --

 注册表 会添加以下注册表项,以便在系统重新引导后运行进程:

– [HKLM\software\microsoft\windows\currentversion\run]
   • "Bron-Spizaetus" = ""c:\winows\ShellNew\sempalong.exe""

– [HKCU\software\microsoft\windows\currentversion\run]
   • "Tok-Cirrhatus" = "c:\Documents and Settings\UserLocal Settings\Application Data\smss.exe"



会添加以下注册表项目注册值:

– [HKCU\software\microsoft\windows\currentversion\Policies\System]
   • "DisableCMD" = dword:00000000
   • "DisableRegistryTools" = dword:00000001

– [HKCU\software\microsoft\windows\currentversion\Policies\Explorer]
   • "NoFolderOptions" = dword:00000001



会更改以下注册表项:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   旧值:
   • "Shell" = "Explorer.exe"
   新值:
   • "Shell" = "Explorer.exe "c:\winows\eksplorasi.exe""

– [HKCU\software\microsoft\windows\currentversion\explorer\advanced]
   旧值:
   • "ShowSuperHidden" = %用户定义的设置%
   • "HideFileExt" = %用户定义的设置%
   • "Hidden" = %用户定义的设置%
   新值:
   • "ShowSuperHidden" = dword:00000000
   • "HideFileExt" = dword:00000001
   • "Hidden" = dword:00000000

 邮件 搜索地址:
它会在以下文件中搜索电子邮件地址:
   • .HTML; .TXT; .EML; .WAB; .ASP; .PHP; .CFM; .CSV; .DOC; .XLS; .PDF;
      .PPT; .HTT


避免地址:
它不会向包含以下某个字符串的地址发送电子邮件:
   • .VBS; DOMAIN; HIDDEN; DEMO; DEVELOP; FOO@; KOMPUTER; SENIOR; DARK;
      BLACK; BLEEP; FEEDBACK; IBM.; INTEL.; MACRO; ADOBE; FUCK; RECIPIENT;
      SERVER; PROXY; ZEND; ZDNET; CNET; DOWNLOAD; HP.; XEROX; CANON;
      SERVICE; ARCHIEVE; NETSCAPE; MOZILLA; OPERA; NOVELL; NEWS; UPDATE;
      RESPONSE; OVERTURE; GROUP; GATEWAY; RELAY; ALERT; SEKUR; CISCO; LOTUS;
      MICRO; TREND; SIEMENS; FUJITSU; NOKIA; W3.; NVIDIA; APACHE; MYSQL;
      POSTGRE; SUN.; GOOGLE; SPERSKY; ZOMBIE; ADMIN; AVIRA; AVAST; TRUST;
      ESAVE; ESAFE; PROTECT; ALADDIN; ALERT; BUILDER; DATABASE; AHNLAB;
      PROLAND; ESCAN; HAURI; NOD32; SYBARI; ANTIGEN; ROBOT; ALWIL; YAHOO;
      COMPUSE; COMPUTE; SECUN; SPYW; REGIST; FREE; BUG; MATH; LAB; IEEE;
      KDE; TRACK; INFORMA; FUJI; @MAC; SLACK; REDHA; SUSE; BUNTU; XANDROS;
      @ABC; @123; LOOKSMART; SYNDICAT; ELEKTRO; ELECTRO; NASA; LUCENT;
      TELECOM; STUDIO; SIERRA; USERNAME; IPTEK; CLICK; SALES; PROMO

 主机 会按如下所述对主机文件进行修改:

– 这种情况下,现有项目会被删除。

– 阻挡以下域名的访问:
   • mcafee.com
   • www.mcafee.com
   • mcafeesecurity.com
   • www.mcafeesecurity.com
   • mcafeeb2b.com
   • www.mcafeeb2b.com
   • nai.com
   • www.nai.com
   • vil.nai.com
   • grisoft.com
   • www.grisoft.com
   • kaspersky-labs.com
   • www.kaspersky-labs.com
   • kaspersky.com
   • www.kaspersky.com
   • downloads1.kaspersky-labs.com
   • downloads2.kaspersky-labs.com
   • downloads3.kaspersky-labs.com
   • downloads4.kaspersky-labs.com
   • download.mcafee.com
   • grisoft.cz
   • www.grisoft.cz
   • norton.com
   • www.norton.com
   • symantec.com
   • www.symantec.com
   • liveupdate.symantecliveupdate.com
   • liveupdate.symantec.com
   • update.symantec.com
   • securityresponse.symantec.com
   • sarc.com
   • www.sarc.com
   • vaksin.com
   • www.vaksin.com
   • norman.com
   • www.norman.com
   • trendmicro.com
   • www.trendmicro.com
   • trendmicro.co.jp
   • www.trendmicro.co.jp
   • trendmicro-europe.com
   • www.trendmicro-europe.com
   • ae.trendmicro-europe.com
   • it.trendmicro-europe.com
   • secunia.com
   • www.secunia.com
   • winantivirus.com
   • www.winantivirus.com
   • pandasoftware.com
   • www.pandasoftware.com
   • esafe.com
   • www.esafe.com
   • f-secure.com
   • www.f-secure.com
   • europe.f-secure.com
   • bhs.com
   • www.bhs.com
   • datafellows.com
   • www.datafellows.com
   • cheyenne.com
   • www.cheyenne.com
   • ontrack.com
   • www.ontrack.com
   • sands.com
   • www.sands.com
   • sophos.com
   • www.sophos.com
   • icubed.com
   • www.icubed.com
   • perantivirus.com
   • www.perantivirus.com
   • virusalert.nl
   • www.virusalert.nl
   • pagina.nl
   • www.pagina.nl
   • antivirus.pagina.nl
   • castlecops.com
   • www.castlecops.com
   • virustotal.com
   • www.virustotal.com




修改后的hosts 文件将如下所示:


 DoS 激活之后,会立即开始对以下目标进行 DoS 攻击:
   • http://kaskus.com
   • http://17tahun.com

 其他 防调试
它会检查包含以下某个字符串的正在运行的程序:
   • REGISTRY
   • SYSTEM CONFIGURATION
   • COMMAND PROMPT
   • .EXE
   • SHUT DOWN
   • SCRIPT HOST
   • LOG OFF WINDOWS
   • KILLBOX
   • TASKKILL
   • TASK KILL
   • HIJACK
   • BLEEPING


 文件详细信息 运行时压缩程序:
为了提高检测难度以及减小文件,它已使用运行时压缩程序进行压缩。

Açıklamayı yerleştiren Andrei Gherman tarihinde 28 Ekim 2005 Cuma
Açıklamayı güncelleyen: Andrei Gherman tarihinde 20 Haziran 2008 Cuma

Geri . . . .
https:// Bu pencere güvenlik amacıyla şifrelenmiştir.