Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/VB.ay.2
Date discovered:05/10/2005
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:81.920 Bytes
MD5 checksum:902792c0116adf49f55f111e82c81db0
VDF version:6.32.00.60

 General Method of propagation:
   • Email
   • Local network


Aliases:
   •  Symantec: W32.Rontokbro.B@mm
   •  Mcafee: W32/Rontokbro.b@MM
   •  Kaspersky: Email-Worm.Win32.Brontok.a
   •  TrendMicro: WORM_RONTOKBRO.B
   •  Sophos: W32/Brontok-B
   •  Grisoft: I-Worm/VB.DV
   •  VirusBuster: I-Worm.Brontok.AO
   •  Eset: Win32/Brontok.B
   •  Bitdefender: Win32.Brontok.A@mm


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Uses its own Email engine
   • Registry modification

 Files It copies itself to the following locations:
   • %HOME%\Local Settings\Application Data\csrss.exe
   • %HOME%\Local Settings\Application Data\inetinfo.exe
   • %HOME%\Local Settings\Application Data\lsass.exe
   • %HOME%\Local Settings\Application Data\services.exe
   • %HOME%\Local Settings\Application Data\smss.exe
   • %WINDIR%\INF\norBtok.exe
   • %ALLUSERSPROFILE%\Templates\A.kotnorB.com



It overwrites a file.
%system drive root%\autoexec.bat

With the following contents:
   • pause




The following file is created:

%WINDIR%\Tasks\At1 Furthermore it gets executed after it was fully created. File is a scheduled task that runs the malware at predefined times.



It tries to download a file:

– The location is the following:
   • http://www.geocities.com/jowobot456/**********
At the time of writing this file was not online for further investigation. Used to hide a process.

 Registry The following registry keys are added in order to run the processes after reboot:

– HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • "Tok-Cirrhatus"="%HOME%\Local Settings\Application Data\smss.exe"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "Bron-Spizaetus"="%WINDIR%\INF\norBtok.exe"



The following registry keys are changed:

Disable Regedit and Task Manager:
– HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
   Old value:
   • "DisableCMD"=%user defined settings%
   • "DisableRegistryTools"=%user defined settings%
   New value:
   • "DisableCMD"=dword:00000000
   • "DisableRegistryTools"=dword:00000001

Various Explorer settings:
– HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
   Old value:
   • "NoFolderOptions"=%user defined settings%
   New value:
   • "NoFolderOptions"=dword:00000001

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)


Subject:
The subject line is empty.


Body:
The body of the email is the following:

   • BRONTOK.A [ By: HVM64 -- JowoBot &VM Community ]
     -- Hentikan kebobrokan di negeri ini --
     1. Adili Koruptor, Penyelundup, Tukang Suap, Penjudi, & Bandar NARKOBA
     ( Send to "NUSAKAMBANGAN")
     2. Stop Free Sex, Absorsi, & Prostitusi
     3. Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar.
     4. SAY NO TO DRUGS !!!
     -- KIAMAT SUDAH DEKAT --
     Terinspirasi oleh: Elang Brontok (Spizaetus Cirrhatus) yang hampir punah[ By: HVM64]
     -- JowoBot &VM Community --


Attachment:
The filename of the attachment is:
   • Kangen.exe

The attachment is a copy of the malware itself.

 Mailing Search addresses:
It searches the following files for email addresses:
   • .HTM
   • .HTML
   • .TXT
   • .EML
   • .WAB
   • .ASP
   • .PHP
   • .CFM
   • .CSV
   • .DOC


Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • PLASA; TELKOM; INDO; .CO; .ID; .GO; .ID; .MIL; .ID; .SCH.ID; .NET.ID;
      .OR.ID; .AC.ID; .WEB.ID; .WAR.NET.ID; ASTAGA; GAUL; BOLEH; EMAILKU;
      SATU


Prepend MX strings:
In order to get the IP address of the mail server it has the ability to prepend the following strings to the domain name:
   • smtp.
   • mail.
   • ns1.

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:  


It searches for all shared directories.

   If successful, the following file is created:
   • %all shared folders%.exe

   These files are copies of the malware itself.

 DoS Right after it becomes active, it starts DoS attacks against the following destinations:
   • israel.gov.il
   • playboy.com

 File details Programming language:
The malware program was written in Visual Basic.

Description inserted by Irina Boldea on Thursday, May 25, 2006
Description updated by Irina Boldea on Thursday, May 25, 2006

Back . . . .