Home / malware Worm:W32/Brontok.B
First posted on 29 June 2010.
Source: SecurityHomeAliases :
There are no other names known for Worm:W32/Brontok.B.
Explanation :
A type of worm that replicates by sending complete, independent copies of itself over a network.
Additional DetailsNet-Worm:W32/Brontok.B attempts to propagate over removable media such as USB thumb drives. It may also attempt to connect to remote servers.
Brontok.B disables certain features of the operating system.
Execution
On execution, the first noticeable characteristic from this malware is the termination of applications such as CMD, regedit, and other EXE files. Processes with the following strings are terminated by this malware:
€ ANT € ASM € AVAST € BUG € CONF € CONSO € DBG € DETEC € INSTALL € KASP € MCAFEE € NOD € NORTON € NTVDM € OPEN € PLAY € PROC € REG € REMOV € SCAN € SECUR € SUPPO € TASK € UPDAT € UPG € VIR € W32 € WALK
Furthermore, this malware will not perform any system changes if its filename is any of the following:
€ AutoPro.exe € mdefault.exe € mcagent.exe € mcshield.exe
During execution, the following files are dropped:
€ C:\AUTORUN.INF € C:\Documents and Settings\\Local Settings\Temp\~DF1A17.tmp € C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Empty.pif € C:\WINDOWS\Autorun.inf € C:\WINDOWS\Web\shell.exe € C:\WINDOWS\winme.exe € C:\winme.exe
Activity
This worm may open a browser attempting to connect to the following URLs:
€ http://security.symantec.com € http://www.symantec.com
Propagation
Brontok.B will create AUTORUN.INF files and copy itself to available removable media (USB drives) to allow itself to propagate.Last update 29 June 2010
