Avira Virus Lab
Worm/Brontok.E.1
-
NameWorm/Brontok.E.1
-
Date discoveredOct 8, 2015
-
TypeMalware
-
ImpactHigh
-
Reported InfectionsLow
-
Operating SystemWindows
-
VDF version7.11.47.198 (2012-10-26 15:42)
The term 'WORM' denotes a worm that is able to spread itself, for instance, over the Internet (using email, peer-to-peer networks, or IRC networks, etc.).
-
VDF7.11.47.198 (2012-10-26 15:42)
-
AliasesAvast: Win32:Brontok-CEAVG: I-Worm/Brontok.XClamAV: Worm.Brontok.HDr. Web: Win32.HLLM.Generic.440F-PROT: W32/Brontok.C.gen!Eldorado (generic, not disinfectable)Trend Micro: TROJ_SPNR.03I211Microsoft: Worm:Win32/Brontok.BO@mmG Data: Win32.Brontok.NDKaspersky Lab: Email-Worm.Win32.Brontok.qBitdefender: Win32.Brontok.NDESET: Win32/Brontok.CH worm
-
FilesThe following copies of itself are created:
- %WINDIR%\ShellNew\RakyatKelaparan.exe
- %SYSDIR%\cmd-brontok.exe
- %WINDIR%\KesenjanganSosial.exe
- %USERPROFILE%\Local Settings\Application Data\smss.exe
- %USERPROFILE%\Local Settings\Application Data\br5931on.exe
- %USERPROFILE%\Local Settings\Application Data\services.exe
- %USERPROFILE%\Local Settings\Application Data\lsass.exe
- %USERPROFILE%\Local Settings\Application Data\inetinfo.exe
- %USERPROFILE%\Local Settings\Application Data\csrss.exe
- %WINDIR%\ShellNew\RakyatKelaparan.exe
- %SYSDIR%\cmd-brontok.exe
- %WINDIR%\KesenjanganSosial.exe
- %USERPROFILE%\Local Settings\Application Data\br5931on.exe
- %USERPROFILE%\Local Settings\Application Data\services.exe
- %USERPROFILE%\Local Settings\Application Data\lsass.exe
- %USERPROFILE%\Local Settings\Application Data\inetinfo.exe
- %USERPROFILE%\Local Settings\Application Data\csrss.exe
- %USERPROFILE%\Local Settings\Application Data\winlogon.exe
- %WINDIR%\ShellNew\RakyatKelaparan.exe
- %SYSDIR%\cmd-brontok.exe
- %WINDIR%\KesenjanganSosial.exe
- %USERPROFILE%\Local Settings\Application Data\br5931on.exe
- %USERPROFILE%\Local Settings\Application Data\services.exe
- %USERPROFILE%\Local Settings\Application Data\lsass.exe
- %USERPROFILE%\Local Settings\Application Data\inetinfo.exe
- %USERPROFILE%\Local Settings\Application Data\csrss.exe
- %USERPROFILE%\Start Menu\Programs\Startup\Empty.pif
- %USERPROFILE%\Templates\10044-NendangBro.com
- %SYSDIR%\%USERNAME%'s Setting.scr
- %WINDIR%\ShellNew\RakyatKelaparan.exe
- %SYSDIR%\cmd-brontok.exe
- %WINDIR%\KesenjanganSosial.exe
- %USERPROFILE%\Local Settings\Application Data\br5931on.exe
- %USERPROFILE%\Local Settings\Application Data\lsass.exe
- %USERPROFILE%\Local Settings\Application Data\inetinfo.exe
- %USERPROFILE%\Local Settings\Application Data\csrss.exe
- %WINDIR%\ShellNew\RakyatKelaparan.exe
- %SYSDIR%\cmd-brontok.exe
- %WINDIR%\KesenjanganSosial.exe
- %USERPROFILE%\Local Settings\Application Data\br5931on.exe
- %USERPROFILE%\Local Settings\Application Data\inetinfo.exe
- %USERPROFILE%\Local Settings\Application Data\csrss.exe
- %WINDIR%\ShellNew\RakyatKelaparan.exe
- %SYSDIR%\cmd-brontok.exe
- %WINDIR%\KesenjanganSosial.exe
- %USERPROFILE%\Local Settings\Application Data\br5931on.exe
- %USERPROFILE%\Local Settings\Application Data\csrss.exe
- %SYSDIR%\drivers\etc\hosts-Denied By-%USERNAME%.com
- %DISKDRIVE%\AUTOEXEC.BAT
- %temporary internet files%\Content.IE5\index.dat
- %USERPROFILE%\Cookies\index.dat
- %USERPROFILE%\Local Settings\History\History.IE5\index.dat
- %TEMPDIR%\~DFE85D.tmp
- %TEMPDIR%\~DFD2DE.tmp
- %SYSDIR%\drivers\etc\hosts-Denied By-%USERNAME%.com
- %TEMPDIR%\~DF275.tmp
- %TEMPDIR%\~DFE85D.tmp
- %TEMPDIR%\~DFD2DE.tmp
- %TEMPDIR%\~DF275.tmp
-
RegistryThe following registry entries are added:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ("DisableRegistryTools": dword:00000001; "DisableCMD": dword:00000000)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ("Bron-Spizaetus": ""%WINDIR%\ShellNew\RakyatKelaparan.exe"")
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot ("AlternateShell": "cmd-brontok.exe")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ("NoFolderOptions": dword:00000001)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Tok-Cirrhatus-2454": ""%USERPROFILE%\Local Settings\Application Data\br5931on.exe""; "Tok-Cirrhatus": "")
- HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings ("ProxyEnable": dword:00000000)
-
HTTP Requests
- www.*****eb.com/News/cmbrotlu3/IN16QGROQGRO.css
- www.*****eb.com/News/cmbrotlu3/Host16.css
Help make the web safer by sending us suspicious files/URLs to analyze
Submit your file/URL or Go to support.avira.comWhy submit a suspicious file?
If you encountered a suspicious file or website that’s not in our database, we’ll analyze it and determine whether it’s harmful. Our findings are then pushed out to our millions of users with their next virus database update. If you have Avira, you’ll get that update too. Don’t have Avira? Get it on our homepage.