Home / malware Worm:Win32/Brontok.DF@mm
First posted on 21 February 2012.
Source: MicrosoftAliases :
There are no other names known for Worm:Win32/Brontok.DF@mm.
Explanation :
Worm:Win32/Brontok.DF@mm is a mass-mailing email worm that spreads by sending a copy of itself as an attachment to messages that are sent out to addresses gathered from files on the infected computer. Worm:Win32/Brontok.DF@mm can also copy itself to USB and removable drives. Worm:Win32/Brontok.DF@mm modifies certain computer settings, such as how hidden files are displayed, and disables registry editing.
Top
Worm:Win32/Brontok.DF@mm is a mass-mailing email worm that spreads by sending a copy of itself as an attachment to messages that are sent out to addresses gathered from files on the infected computer. Worm:Win32/Brontok.DF@mm can also copy itself to USB and removable drives. Worm:Win32/Brontok.DF@mm modifies certain computer settings, such as how hidden files are displayed, and disables registry editing.
Installation
Upon execution, Worm:Win32/Brontok.DF@mm opens a Windows Explorer window to the "My Documents" folder. This may mislead the user into thinking that the file is not malicious.
Worm:Win32/Brontok.DF@mm creates copies of itself as the following:
- %AppData%\csrss.exe
- %AppData%\inetinfo.exe
- %AppData%\lsass.exe
- %AppData%\services.exe
- %AppData%\smss.exe
- %UserProfile%\Start Menu\Programs\Startup\Empty.pif
- %UserProfile%\Templates\Brengkolang.com
- %UserProfile%\Templates\WowTumpeh.com
- %windir%\eksplorasi.exe
- %windir%\ShellNew\bronstab.exe
- %WinDir%\system32\<user name> Setting.scr
- %WinDir%\system32\drivers\etc\hosts-denied by-<user name>.com
Note that legitimate files named "csrss.exe", "inetinfo.exe", "lsass.exe", "services.exe", "smss.exe", and "winlogon.exe" exist by default in the Windows system folder.
Worm:Win32/Brontok.DF@mm also creates the following folders:
- %AppData%\Bron.tok-9-10
- %AppData%\loc.mail.bron.tok
- %AppData%\Ok-SendMail-Bron-tok
It may also create the following files:
- %AppData%\bronfoldnetdomlist.txt
- %AppData%\bronnetdomlist.bat
- %AppData%\bronnpath0.txt
- %AppData%\Kosong.Bron.Tok.txt
- %UserProfile%\My Documents\My Pictures\about.Brontok.A.html - contains the body of the email it sends out
It also modifies the system registry so that its copies run at every Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Tok-Cirrhatus"
With data: "%AppData%\smss.exe"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Bron-Spizaetus"
With data: "%windir%\shellnew\bronstab.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Modifies value: "Shell"
From data: "explorer.exe" (default value)
To data: "explorer.exe "%windir%\eksplorasi.exe""
In most cases, Worm:Win32/Brontok uses the Windows "New folder" icon for the worm files. This may cause the file to appear as if it were a new folder rather than an executable file. Unsuspecting users clicking on what they perceive to be a folder to view its contents thereby inadvertently run the worm file.
Worm:Win32/Brontok.DF@mm also creates the following scheduled task, which ensures that the worm copy (either %UserProfile%\Templates\Brengkolang.com or %UserProfile%\Templates\WowTumpeh.com) runs every day:
%WinDir%\Tasks\At1.job
Spreads via...
Email messages
Worm:Win32/Brontok.DF@mm searches for email addresses in files with the following extensions:
.ASP
.CFM
.CSV
.DOC
.EML
.exe
.HTM
.HTML
.HTT
.PHP
.PPT
.TXT
.WAB
.XLS
Gathered addresses are stored in a file in the folder "%AppData%\loc.mail.bron.tok". Worm:Win32/Brontok.DF@mm then sends out messages to these addresses.
The email messages may have the following format:
Subject: (no subject)
From: (any of the following)
Berita_<two numbers>@kafegaul.com
GaulNew_<two numbers>@kafegaul.com
HotNews_<two numbers>@playboy.com
Movie_<two numbers>@playboy.com
Attachment: (any of the following executable files)
rundll32.exe
Systray.exe
tskmgr.exe
winword.exe
xpshare.exe
Body: (stored in "%UserProfile%\My Documents\My Pictures\about.Brontok.A.html"; may be, but is not limited to the following:)
!!! Akan Kubuat Mereka (VM lokal yg cengeng & bodoh) Terkapar !!
( Go To HELL )
( Send to "NUSAKAMBANGAN")
-- Hentikan kebobrokan di negeri ini --
-- JowoBot #VM Community --
-- KIAMAT SUDAH DEKAT --
1. Penjarakan Koruptor, Penyelundup, Tukang Suap, & Bandar NARKOBA
2. Stop Free Sex, Aborsi, & Prostitusi
3. Stop pencemaran lingkungan, pembakaran hutan & perburuan liar.
4. SAY NO TO DRUGS !!!
[ By: HVM31 ]
BRONTOK.A[9]
Elang Brontok (Spizaetus Cirrhatus) yang hampir punah
Terinspirasi oleh:
Removable drives and shared folders
Worm:Win32/Brontok.DF@mm also attempts to spread by copying itself to available removable drives and the following shared folders:
- My Data Sources
- My Documents
- My Ebooks
- My Music
- My Pictures
- My Shapes
- My Videos
The file names it uses for its copies vary.
Payload
Modifies system settings
Worm:Win32/Brontok.DF@mm modifies the following computer settings:
Changes the way hidden files are displayed in Windows Explorer:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: "0"
Changes the way file display options are made available in Windows Explorer:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoFolderOptions"
With data: "1"
Disables registry editing tools:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableRegistryTools"
With data: "1"
Modifies system files
Worm:Win32/Brontok.DF@mm may create the following file, or modify it if it exists:
autoexec.bat
by adding the command "pause" into it.
Connects to a remote server
Worm:Win32/Brontok.DF@mm checks if the computer is connected to the Internet by connecting to:
Additional information
- google.com
- yahoo.com
Worm:Win32/Brontok.DF@mm may create a file named "Ok-SendMail-Bron-tok" in the %AppData% folder.
Analysis by Hyun Choi
Last update 21 February 2012
