Home / malware Worm:Win32/Brontok.GA@mm
First posted on 29 March 2013.
Source: MicrosoftAliases :
Worm:Win32/Brontok.GA@mm is also known as Worm/Win32.Brontok (AhnLab), W32/Brontok.C.gen!Eldorado (Command), W32/Ircbot.CMCM (Norman), I-Worm/Brontok.A (AVG), Win32.Brontok.AP@mm (BitDefender), Win32.Virut.56 (Dr.Web), Win32/Brontok.B worm (ESET), Email-Worm.Win32.Brontok (Ikarus), Virus.Win32.Virut.ce (Kaspersky), W32/Rontokbro@MM (McAfee), Worm.Brontok!2A60 (Rising AV), W32.Virut.CF (Symantec), PE_VIRUX.R-3 (Trend Micro).
Explanation :
Installation
When run, it drops several copies of itself as the following:
- %LOCALAPPDATA%\csrss.exe
- %LOCALAPPDATA%\inetinfo.exe
- %LOCALAPPDATA%\lsass.exe
- %LOCALAPPDATA%\services.exe
- %LOCALAPPDATA%\smss.exe
- %LOCALAPPDATA%\winlogon.exe
- <startup folder>\Empty.pif
- %HOMEPATH%\Templates\A.kotnorB.com
- %windir%\inf\norBtok.exe
- %windir%\system32\3D Animation.scr
It creates a folder with the name format "Bron.tok-<M>-<D>", where <M> is the month and <D> is the day of the month. For example:
%LOCALAPPDATA%\Bron.tok-3-20
To make sure it automatically runs every time Windows starts, it creates a scheduled task to run the copy named "%TEMPLATES%\A.kotnorB.com" every day at 17:08. The task is stored in the file "%windir%\Tasks\At1.job".
It also adds entries to the system registry so that its copies automatically run every time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Tok-Cirrhatus"
With data: "%LOCALAPPDATA%\smss.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Bron-Spizaetus"
With data: "%windir%\INF\norBtok.exe"
Spreads via...
It gathers email addresses from files with the following extensions on all local drives from C to Y:
- .asp
- .cfm
- .csv
- .doc
- .eml
- .htm
- .html
- .php
- .txt
- .wab
- .xls
It may use the following prefixes to search for domain names of SMTP servers:
- smtp.
- mail.
- ns1.
It then uses its own SMTP engine to spread. It does this by sending a copy of itself as an attachment to all harvested e-mail addresses from the infected computer.
The emails sent out are made to appear as if they are from the following accounts:
- Berita_<number>@kafegaul.com
- GaulNews_<number>@kafegaul.com
- Movie_<number>@pornstargals.com
- HotNews_<number>@pornstargals.com
where <number> is a random number.
The email details may vary. Some emails have a blank subject line and an empty message. Others have messages that have English and Indonesian texts that might contain political messages or pictures. Some possible attachment file names are:
- kangen.exe
- Sample Picture.zip
- photo.zip
Network shares
It may copy itself to writeable network shares. It scans your network for writeable shares, and copies itself to subfolders in these shares, if found. It uses either a random file name or the subfolder's name for the copy. For example, if it finds the writeable folder "foo" in the share Z:, it might copy itself as "Z:\foo\foo.exe".
Payload
Lowers your computer's security settings
Worm:Win32/Brontok.GA@mm tries to lower your computer's security settings by changing one or more of following registry entries:
- Stops you from using the Registry Editor:
In subkey: HKU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableRegistryTools"
With data: "1"- Disables the command prompt:
In subkey: HKU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableCMD"
With data: "0"- Disables folder options in Windows Explorer:
In subkey: HKU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "NoFolderOptions"
With data: "1"- Prevents the display of executable file extensions:
In subkey: HKU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "HideFileExt"
With data: "1"
Overwrites files
It overwrites the file "C:\Autoexec.bat", if it exists in your computer, with line "pause".
Additional resources
Click here for more information about the Win32/Brontok malware family.
Analysis by Rex Plantado
Last update 29 March 2013
