Avira Virus Lab

Worm/Brontok.E.1

Name

Worm/Brontok.E.1
Date discovered

Oct 8, 2015
Type

Malware
Impact

High
Reported Infections

Low
Operating System

Windows
VDF version

7.11.47.198 (2012-10-26 15:42)

The term 'WORM' denotes a worm that is able to spread itself, for instance, over the Internet (using email, peer-to-peer networks, or IRC networks, etc.).

VDF

7.11.47.198 (2012-10-26 15:42)
Aliases

Avast: Win32:Brontok-CE

AVG: I-Worm/Brontok.X

ClamAV: Worm.Brontok.H

Dr. Web: Win32.HLLM.Generic.440

F-PROT: W32/Brontok.C.gen!Eldorado (generic, not disinfectable)

Trend Micro: TROJ_SPNR.03I211

Microsoft: Worm:Win32/[email protected]

G Data: Win32.Brontok.ND

Kaspersky Lab: Email-Worm.Win32.Brontok.q

Bitdefender: Win32.Brontok.ND

ESET: Win32/Brontok.CH worm
Files
The following copies of itself are created:
- %WINDIR%\ShellNew\RakyatKelaparan.exe
- %SYSDIR%\cmd-brontok.exe
- %WINDIR%\KesenjanganSosial.exe
- %USERPROFILE%\Local Settings\Application Data\smss.exe
- %USERPROFILE%\Local Settings\Application Data\br5931on.exe
- %USERPROFILE%\Local Settings\Application Data\services.exe
- %USERPROFILE%\Local Settings\Application Data\lsass.exe
- %USERPROFILE%\Local Settings\Application Data\inetinfo.exe
- %USERPROFILE%\Local Settings\Application Data\csrss.exe
- %WINDIR%\ShellNew\RakyatKelaparan.exe
- %SYSDIR%\cmd-brontok.exe
- %WINDIR%\KesenjanganSosial.exe
- %USERPROFILE%\Local Settings\Application Data\br5931on.exe
- %USERPROFILE%\Local Settings\Application Data\services.exe
- %USERPROFILE%\Local Settings\Application Data\lsass.exe
- %USERPROFILE%\Local Settings\Application Data\inetinfo.exe
- %USERPROFILE%\Local Settings\Application Data\csrss.exe
- %USERPROFILE%\Local Settings\Application Data\winlogon.exe
- %WINDIR%\ShellNew\RakyatKelaparan.exe
- %SYSDIR%\cmd-brontok.exe
- %WINDIR%\KesenjanganSosial.exe
- %USERPROFILE%\Local Settings\Application Data\br5931on.exe
- %USERPROFILE%\Local Settings\Application Data\services.exe
- %USERPROFILE%\Local Settings\Application Data\lsass.exe
- %USERPROFILE%\Local Settings\Application Data\inetinfo.exe
- %USERPROFILE%\Local Settings\Application Data\csrss.exe
- %USERPROFILE%\Start Menu\Programs\Startup\Empty.pif
- %USERPROFILE%\Templates\10044-NendangBro.com
- %SYSDIR%\%USERNAME%'s Setting.scr
- %WINDIR%\ShellNew\RakyatKelaparan.exe
- %SYSDIR%\cmd-brontok.exe
- %WINDIR%\KesenjanganSosial.exe
- %USERPROFILE%\Local Settings\Application Data\br5931on.exe
- %USERPROFILE%\Local Settings\Application Data\lsass.exe
- %USERPROFILE%\Local Settings\Application Data\inetinfo.exe
- %USERPROFILE%\Local Settings\Application Data\csrss.exe
- %WINDIR%\ShellNew\RakyatKelaparan.exe
- %SYSDIR%\cmd-brontok.exe
- %WINDIR%\KesenjanganSosial.exe
- %USERPROFILE%\Local Settings\Application Data\br5931on.exe
- %USERPROFILE%\Local Settings\Application Data\inetinfo.exe
- %USERPROFILE%\Local Settings\Application Data\csrss.exe
- %WINDIR%\ShellNew\RakyatKelaparan.exe
- %SYSDIR%\cmd-brontok.exe
- %WINDIR%\KesenjanganSosial.exe
- %USERPROFILE%\Local Settings\Application Data\br5931on.exe
- %USERPROFILE%\Local Settings\Application Data\csrss.exe
- %SYSDIR%\drivers\etc\hosts-Denied By-%USERNAME%.com
The following files are changed:
- %DISKDRIVE%\AUTOEXEC.BAT
- %temporary internet files%\Content.IE5\index.dat
- %USERPROFILE%\Cookies\index.dat
- %USERPROFILE%\Local Settings\History\History.IE5\index.dat
The following files are deleted:
- %TEMPDIR%\~DFE85D.tmp
- %TEMPDIR%\~DFD2DE.tmp
- %SYSDIR%\drivers\etc\hosts-Denied By-%USERNAME%.com
- %TEMPDIR%\~DF275.tmp
The following files are created:
- %TEMPDIR%\~DFE85D.tmp
- %TEMPDIR%\~DFD2DE.tmp
- %TEMPDIR%\~DF275.tmp
Registry
The following registry entries are added:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
- HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings ("ProxyEnable": dword:00000000)
HTTP Requests
- www.*****eb.com/News/cmbrotlu3/IN16QGROQGRO.css
- www.*****eb.com/News/cmbrotlu3/Host16.css

Avira Virus Lab

Worm/Brontok.E.1

Help make the web safer by sending us suspicious files/URLs to analyze

Why submit a suspicious file?

My Account

Avira Virus Lab

Worm/Brontok.E.1

Stay safe from all these threats with Avira Free Antivirus.

Help make the web safer by sending us suspicious files/URLs to analyze

Why submit a suspicious file?