Home / malwarePDF  

Worm:W32/Brontok.B


First posted on 29 June 2010.
Source: SecurityHome

Aliases :

There are no other names known for Worm:W32/Brontok.B.

Explanation :

A type of worm that replicates by sending complete, independent copies of itself over a network.

Additional DetailsNet-Worm:W32/Brontok.B attempts to propagate over removable media such as USB thumb drives. It may also attempt to connect to remote servers.

Brontok.B disables certain features of the operating system.

Execution

On execution, the first noticeable characteristic from this malware is the termination of applications such as CMD, regedit, and other EXE files. Processes with the following strings are terminated by this malware:

€ ANT € ASM € AVAST € BUG € CONF € CONSO € DBG € DETEC € INSTALL € KASP € MCAFEE € NOD € NORTON € NTVDM € OPEN € PLAY € PROC € REG € REMOV € SCAN € SECUR € SUPPO € TASK € UPDAT € UPG € VIR € W32 € WALK

Furthermore, this malware will not perform any system changes if its filename is any of the following:

€ AutoPro.exe € mdefault.exe € mcagent.exe € mcshield.exe
During execution, the following files are dropped:

€ C:\AUTORUN.INF € C:\Documents and Settings\\Local Settings\Temp\~DF1A17.tmp € C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Empty.pif € C:\WINDOWS\Autorun.inf € C:\WINDOWS\Web\shell.exe € C:\WINDOWS\winme.exe € C:\winme.exe

Activity

This worm may open a browser attempting to connect to the following URLs:

€ http://security.symantec.com € http://www.symantec.com

Propagation

Brontok.B will create AUTORUN.INF files and copy itself to available removable media (USB drives) to allow itself to propagate.

Last update 29 June 2010

 

TOP

Malware :