Avira Virus Lab

Back

Worm/Brontok.E.1

Name

Worm/Brontok.E.1
Date discovered

Oct 8, 2015
Type

Malware
Impact

High
Reported Infections

Low
Operating System

Windows
VDF version

7.11.47.198 (2012-10-26 15:42)

The term 'WORM' denotes a worm that is able to spread itself, for instance, over the Internet (using email, peer-to-peer networks, or IRC networks, etc.).

VDF

7.11.47.198 (2012-10-26 15:42)
Aliases

Avast: Win32:Brontok-CE

AVG: I-Worm/Brontok.X

ClamAV: Worm.Brontok.H

Dr. Web: Win32.HLLM.Generic.440

F-PROT: W32/Brontok.C.gen!Eldorado (generic, not disinfectable)

Trend Micro: TROJ_SPNR.03I211

Microsoft: Worm:Win32/Brontok.BO@mm

G Data: Win32.Brontok.ND

Kaspersky Lab: Email-Worm.Win32.Brontok.q

Bitdefender: Win32.Brontok.ND

ESET: Win32/Brontok.CH worm
Files
The following copies of itself are created:
- %WINDIR%\ShellNew\RakyatKelaparan.exe
- %SYSDIR%\cmd-brontok.exe
- %WINDIR%\KesenjanganSosial.exe
- %USERPROFILE%\Local Settings\Application Data\smss.exe
- %USERPROFILE%\Local Settings\Application Data\br5931on.exe
- %USERPROFILE%\Local Settings\Application Data\services.exe
- %USERPROFILE%\Local Settings\Application Data\lsass.exe
- %USERPROFILE%\Local Settings\Application Data\inetinfo.exe
- %USERPROFILE%\Local Settings\Application Data\csrss.exe
- %WINDIR%\ShellNew\RakyatKelaparan.exe
- %SYSDIR%\cmd-brontok.exe
- %WINDIR%\KesenjanganSosial.exe
- %USERPROFILE%\Local Settings\Application Data\br5931on.exe
- %USERPROFILE%\Local Settings\Application Data\services.exe
- %USERPROFILE%\Local Settings\Application Data\lsass.exe
- %USERPROFILE%\Local Settings\Application Data\inetinfo.exe
- %USERPROFILE%\Local Settings\Application Data\csrss.exe
- %USERPROFILE%\Local Settings\Application Data\winlogon.exe
- %WINDIR%\ShellNew\RakyatKelaparan.exe
- %SYSDIR%\cmd-brontok.exe
- %WINDIR%\KesenjanganSosial.exe
- %USERPROFILE%\Local Settings\Application Data\br5931on.exe
- %USERPROFILE%\Local Settings\Application Data\services.exe
- %USERPROFILE%\Local Settings\Application Data\lsass.exe
- %USERPROFILE%\Local Settings\Application Data\inetinfo.exe
- %USERPROFILE%\Local Settings\Application Data\csrss.exe
- %USERPROFILE%\Start Menu\Programs\Startup\Empty.pif
- %USERPROFILE%\Templates\10044-NendangBro.com
- %SYSDIR%\%USERNAME%'s Setting.scr
- %WINDIR%\ShellNew\RakyatKelaparan.exe
- %SYSDIR%\cmd-brontok.exe
- %WINDIR%\KesenjanganSosial.exe
- %USERPROFILE%\Local Settings\Application Data\br5931on.exe
- %USERPROFILE%\Local Settings\Application Data\lsass.exe
- %USERPROFILE%\Local Settings\Application Data\inetinfo.exe
- %USERPROFILE%\Local Settings\Application Data\csrss.exe
- %WINDIR%\ShellNew\RakyatKelaparan.exe
- %SYSDIR%\cmd-brontok.exe
- %WINDIR%\KesenjanganSosial.exe
- %USERPROFILE%\Local Settings\Application Data\br5931on.exe
- %USERPROFILE%\Local Settings\Application Data\inetinfo.exe
- %USERPROFILE%\Local Settings\Application Data\csrss.exe
- %WINDIR%\ShellNew\RakyatKelaparan.exe
- %SYSDIR%\cmd-brontok.exe
- %WINDIR%\KesenjanganSosial.exe
- %USERPROFILE%\Local Settings\Application Data\br5931on.exe
- %USERPROFILE%\Local Settings\Application Data\csrss.exe
- %SYSDIR%\drivers\etc\hosts-Denied By-%USERNAME%.com
The following files are changed:
- %DISKDRIVE%\AUTOEXEC.BAT
- %temporary internet files%\Content.IE5\index.dat
- %USERPROFILE%\Cookies\index.dat
- %USERPROFILE%\Local Settings\History\History.IE5\index.dat
The following files are deleted:
- %TEMPDIR%\~DFE85D.tmp
- %TEMPDIR%\~DFD2DE.tmp
- %SYSDIR%\drivers\etc\hosts-Denied By-%USERNAME%.com
- %TEMPDIR%\~DF275.tmp
The following files are created:
- %TEMPDIR%\~DFE85D.tmp
- %TEMPDIR%\~DFD2DE.tmp
- %TEMPDIR%\~DF275.tmp
Registry
The following registry entries are added:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
- HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings ("ProxyEnable": dword:00000000)
HTTP Requests
- www.*****eb.com/News/cmbrotlu3/IN16QGROQGRO.css
- www.*****eb.com/News/cmbrotlu3/Host16.css

Help make the web safer by sending us suspicious files/URLs to analyze

Submit your file/URL or Go to Avira Answers

Why submit a suspicious file?

If you encountered a suspicious file or website that’s not in our database, we’ll analyze it and determine whether it’s harmful. Our findings are then pushed out to our millions of users with their next virus database update. If you have Avira, you’ll get that update too. Don’t have Avira? Get it on our homepage.

What’s Avira Answers?

It’s our thriving community of technical professionals and part-time experts, working together to help solve tech problems. It’s the perfect place to pose your question to a community of fellow Avira users.

My Account

Avira Virus Lab

Worm/Brontok.E.1

Stay safe from all these threats with Avira Free Antivirus.

Help make the web safer by sending us suspicious files/URLs to analyze

Why submit a suspicious file?

What’s Avira Answers?