Home / malwarePDF  

Worm:Win32/Brontok.FFV


First posted on 17 May 2010.
Source: SecurityHome

Aliases :

Worm:Win32/Brontok.FFV is also known as Win32/Detnat.E (AhnLab), W32/Backdoor.BVDW (Authentium (Command)), Worm.Win32.Detnat.e (Kaspersky), Detnat.gen1 (Norman), Worm.VB.FMU (VirusBuster), Trojan horse Downloader.Generic2.OEH.dropper (AVG), TR/VB.BG (Avira), Trojan.FakeFolder.A (BitDefender), Win32/Bacalid (CA), Win32.HLLW.Blank (Dr.Web), Win32/Bacalid.A (ESET), Worm.Win32.Brontok (Ikarus), W32/Bacalid.gen (McAfee), W32/Bacalid.A (Panda), Worm.Win32.Detnat.g (Rising AV) more.

Explanation :

Worm:Win32/Brontok.FFV is detection for a variant of the Win32/Brontok worm family. This variant of the Brontok family spreads by copying itself to removable drives. It can disable antivirus and security software and modify Windows settings.
Top

Worm:Win32/Brontok.FFV is detection for a variant of the Win32/Brontok worm family. This variant of the Brontok family spreads by copying itself to removable drives. It can disable antivirus and security software and modify Windows settings. InstallationWhen run, Worm:Win32/Brontok.FFV may create copies of itself as the following:

  • <system folder>\dllchache\empty.jpg
  • <system folder>\dllchache\blank.doc
  • <system folder>\dllchache\zero.txt
  • <system folder>\dllchache\hole.zip
  • <system folder>\dllchache\unoccupied.reg
  • <system folder>\dllcache\regedit32.com
  • <system folder>\dllcache\ shell32.com
  • <system folder>\rund1132.exe
  • <system folder>\m5vbvm60.exe
  • <system folder>\dllchache.exe
  • c:\aut0exec.bat
  • %windir%\system32.exe

    • Worm:Win32/Brontok.FFV launches dropped copies of the worm with "ReStart" as a parameter, for example, " C:\WINDOWS\system32\dllChache\Empty.jpg ReStart". Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. The worm drops a non-malicious Visual Basic runtime library file as the following: <system folder>\dllchache\msvbvm60.dll The registry is modified to run dropped copies of the worm during certain Windows events.
  • At each Windows start:

    Sets value: "Secure64"
    With data: "<system folder>\dllcache\regedit32.com startup"
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Sets value: "Blank AntiViri"
    With data: "c:\aut0exec.bat startup"
    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Modifies value: "Userinit"
    From data: "<system folder>\userinit.exe,"
    To data: "<system folder>\userinit.exe, "<system folder>\m5vbvm60.exe startup""
    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  • When starting Windows in Safe mode

    Modifies value: "AlternateShell"
    From data: "cmd.exe"
    To data: "c:\aut0exec.bat startup"
    In subkey: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
  • When opening files of type "text" (any file with extension ".dic", ".exc", ".log", ".scp", ".txt", ".wtx")

    Modifies value: "(default)"
    From data: "%SystemRoot%\system32\NOTEPAD.EXE %1"
    To data: "<system folder>\rund1132.exe %1"
    In subkey: HKLM\Software\Classes\txtfile\shell\open\command
  • When opening files of type "com" (any file with extension ".com")

    Modifies value: "(default)"
    From data: ""%1" %*"
    With data: "<system folder>\rund1132.exe %1"
    In subkey: HKLM\Software\Classes\comfile\shell\open\command
    • Spreads via€¦ Removable drivesWorm:Win32/Brontok.FFV attempts to copy itself to removable drives using random file names such as:
  • subst.exe
  • new folder.exe
    • The worm increases the chance of running the worm copy by a curious computer user by modifying the file icon of the worm copy to resemble the default icon for file folders. Payload Terminates security applicationsWorm:Win32/Brontok.FFV attempts to terminate processes associated with security software such as the following process names: antivirus.exe avgw.exe ccenter.exe navw32.exe Modifies Windows settingsThe worm prevents the display of hidden Windows system files by modifying registry data. Sets value: "ShowSuperHidden"
    With data: "0"
    To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced The worm makes another trivial settings change by modifying the registry to display the full path of files or folders in the Explorer title bar. Sets value: "FullPath"With data: "1"In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState Additional InformationThe worm drops a text file as "c:\(read me)pendekar blank.txt". The data file contains text written in Indonesian.

    Analysis by Lena Lin

    Last update 17 May 2010

     

    TOP

    Malware :

    Family: