Home / malware Worm:Win32/Brontok.R@mm
First posted on 10 May 2010.
Source: SecurityHomeAliases :
Worm:Win32/Brontok.R@mm is also known as Win-Trojan/Xema.variant (AhnLab), W32/EmailWorm.OXI (Authentium (Command)), Email-Worm.Win32.Brontok.q (Kaspersky), W32/Rontokbro (Norman), I-Worm.Brontok.QJ (VirusBuster), Worm/Brontok.FW (AVG), Worm/Brontok.C (Avira), Win32/Robknot.Z (CA), Win32/Brontok.S (ESET), Email-Worm.Win32.Brontok (Ikarus), W32/Rontokbro.gen@MM (McAfee), W32/Brontok.GS.WORM (Panda), Trojan.Win32.Mnless.dyr (Rising AV), W32/Brontok-G (Sophos), Email-Worm.Win32.Brontok.ik (Sunbelt Software), W32.Rontokbro@mm (Symantec), WORM_RONTOKBR.CO (Trend Micro) more.
Explanation :
Worm:Win32/Brontok.R@mm is a mass-mailing worm that changes security systems on the infected computer. It usually arrives via e-mail. Worm:Win32/Brontok.R@mm modifies certain computer settings, such as how hidden files are displayed, and disables registry editing. It can also modify the computer's HOSTS file.
Top
Worm:Win32/Brontok.R@mm is a mass-mailing worm that changes security systems on the infected computer. It usually arrives via e-mail. Worm:Win32/Brontok.R@mm modifies certain computer settings, such as how hidden files are displayed, and disables registry editing. It can also modify the computer's HOSTS file. Installation Upon execution, Worm:Win32/Brontok.R@mm opens an Explorer window to the "My Documents" folder. This may mislead the user into thinking that the malware file is harmless. It creates the following folder:%AppData%\Bron.tok-12-27 %Windir%\ShellNew It creates copies of itself as the following:%AppData%\csrss.exe %AppData%\inetinfo.exe %AppData%\lsass.exe %AppData%\services.exe %AppData%\smss.exe %AppData%\winlogon.exe %UserProfile%\Templates\Brengkolang.com or %UserProfile%\Templates\WowTumpeh.com %windir%\ShellNew\sempalong.exe %windir%\eksplorasi.pif <startup folder>\Empty.pif <system folder>\<current user>'s Setting.scr (for example, "<system folder>\user1's Settings.scr") Users should take care not to confuse the file names "csrss.exe", "inetinfo.exe", "lsass.exe", "services.exe", "smss.exe", and "winlogon.exe" with legitimate system files using the same names. The legitimate system files located by default in the Windows system folder. Note 1 - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. Note 2 - <startup folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'. Worm:Win32/Brontok.R@mm creates and modifies the following registry entries so that it automatically runs every time Windows starts: Adds value: "Tok-Cirrhatus" With data: "%AppData%\smss.exe" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Adds value: "Bron-Spizaetus" With data: "%windir%\ShellNew\sempalong.exe"" In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Modifies value: "Shell" From data: "explorer.exe" (default value) To data: "explorer.exe "%windir%\eksplorasi.exe"" In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon It also creates a job named "%windir%\Tasks\At1.job", which is designed to automatically run its copy "%UserProfile%\Templates\Brengkolang.com" at a specific schedule. Spreads via... Mass mailing Worm:Win32/Brontok.R@mm searches for e-mail addresses in matching the following extensions: .ASP .CFM .CSV .DOC .EML .PHP .TXT .WAB Gathered addresses are stored in a file in %AppData%, for example, "NetMailTmp.bin". Worm:Win32/Brontok.R@mm then sends out e-mail addresses to these addresses. The e-mail messages may have the following format: Subject: (no subject) From: (either one of these) Berita_<two numbers>@kafegaul.com GaulNew_<two numbers>@kafegaul.com HotNews_<two numbers>@playboy.com Movie_<two numbers>@playboy.com Attachment: (executable file) Body: (may be, but is not limited to) By: HVM31 -- JowoBot #VM Community -- Removable drives and shared folders Worm:Win32/Brontok.R@mm also attempts to spread by copying itself to available removable drives and the following folders:My Data Sources My Ebooks My Music My Pictures My Shapes My Videos My Documents The file names it uses for its copies vary. Payload Modifies system settings Worm:Win32/Brontok.R@mm modifies the following computer settings:Changes the way hidden files are displayed in Windows Explorer: Adds value: "Hidden" With data: "0" Adds value: "HideFileExt" With data: "1" Adds value: "ShowSuperHidden" with data: "0" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedChanges the way file display options are made available in Windows Explorer: Adds value: "NoFolderOptions" With data: "1" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerEnables Command Prompt: Adds value: "DisableCMD" With data: "0" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\SystemDisables registry editing tools: Adds value: "DisableRegistryTools" With data: "1" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System Modifies system files Worm:Win32/Brontok.R@mm may create the following file, or modify it if it exists: autoexec.bat by adding the command "pause" into it. Worm:Win32/Brontok.R@mm may also modify the HOSTS file. Connects to a remote server Worm:Win32/Brontok.R@mm checks if the computer is connected to the Internet by connecting to: google.com yahoo.com If the computer is connected, it then attempts to download arbitrary files from the following subdomains: geocities.com/sblsji1/ geocities.com/sbllro2/ geocities.com/sbltlu3/ geocities.com/sblppt4/ geocities.com/sbllma5/ Additional information Worm:Win32/Brontok.R@mm may create a file named "Ok-SendMail-Bron-tok" in the %AppData% folder.
Analysis by Patrik VicolLast update 10 May 2010