Home / malware Worm:Win32/Brontok.AS@mm
First posted on 08 January 2013.
Source: MicrosoftAliases :
Worm:Win32/Brontok.AS@mm is also known as Email-Worm.Win32.Brontok (Ikarus), Email-Worm.Win32.Brontok.q (Kaspersky), Generic.Brontok.99075776 (BitDefender), I-Worm/Brontok.EA (AVG), W32.Rontokbro@mm (Symantec), W32/Brontok-V (Sophos), W32/Rontokbro (Norman), W32/Rontokbro.gen@MM (McAfee), Win32/Brontok.CV (ESET), Win32/Brontok.worm.42579 (AhnLab), Worm/Brontok.C (Avira), WORM_RONTKBR.GEN (Trend Micro).
Explanation :
Worm:Win32/Brontok.AS@mm is a mass-mailing email worm that modifies certain computer settings, such as how hidden files are displayed, and disables registry editing.
It spreads by sending a copy of itself, as an email attachment, to contacts stored on your computer. It can also copy itself to USB and removable drives.
Worm:Win32/Brontok.AS@mm is a member of the Worm:Win32/Brontok@mm and Win32/Brontok families.
Installation
When run, Worm:Win32/Brontok.AS@mm opens a Windows Explorer window to the "My Documents" folder.
Worm:Win32/Brontok.AS@mm creates copies of itself as the following:
- %APPDATA%\br7911on.exe
- %APPDATA%\csrss.exe
- %APPDATA%\inetinfo.exe
- %APPDATA%\lsass.exe
- %APPDATA%\services.exe
- %APPDATA%\smss.exe
- %APPDATA%\svchost.exe
- %APPDATA%\winlogon.exe
- %USERPROFILE%\Start Menu\Programs\Startup\empty.pif
- %USERPROFILE%\Templates\14004-nendangbro.com
- %USERPROFILE%\Templates\Brengkolang.com
- %USERPROFILE%\Templates\WowTumpeh.com
- %windir%\berasjatah.exe
- %windir%\eksplorasi.exe
- %windir%\eksplorasi.pif
- %windir%\sembako-cmzjkji.exe
- %windir%\sembako-cmzjlii.exe
- %windir%\sembako-cmzjlji.exe
- %windir%\sembako-cnzjlpi.exe
- %windir%\sembako-dezjlph.exe
- %windir%\sembako-dfzjlog.exe
- %windir%\shellnew\bbm-qotlpinc.exe
- %windir%\shellnew\bbm-rpqlogfd.exe
- %windir%\shellnew\bbm-somljimc.exe
- %windir%\shellnew\bbm-toslphed.exe
- %windir%\shellnew\bbm-trqliimc.exe
- %windir%\shellnew\bbm-vqslphed.exe
- %windir%\shellnew\bbm-vrqliimc.exe
- %windir%\shellnew\bbm-xomljimc.exe
- %windir%\shellnew\bbm-xtvkjimc.exe
- %windir%\shellnew\bbm-yomljimc.exe
- %windir%\shellnew\bbm-zomljimc.exe
- %windir%\shellnew\sempalong.exe
- %windir%\system32\<user name>'s Setting.scr
- %windir%\system32\cmd-bro-ilx.exe
- %windir%\system32\cmd-bro-jkx.exe
- %windir%\system32\cmd-bro-jlx.exe
- %windir%\system32\cmd-bro-olx.exe
- %windir%\system32\cmd-bro-plx.exe
- %windir%\system32\drivers\etc\hosts-denied by-<user name>.com
- %windir%\system32\dxblai.exe
- %windir%\system32\dxblap.exe
- %windir%\system32\dxblbk.exe
- %windir%\system32\dxblbt.exe
- %windir%\system32\dxblcw.exe
Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista, 7, and 8, the default location is "C:\Users\<user>\APPDATA\Roaming".
Note: %USERPROFILE% refers to a variable location that is determined by the malware by querying the operating system. The default location for the User Profile folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>" or "C:\Users\<user>". For Windows Vista, 7, and 8, the default location is "C:\Users\<user name>".
Note: %windir% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Windows folder for Windows 2000 and NT is "C:\WinNT"; and for XP, Vista, 7, and 8 it is "C:\Windows".
The worm uses the Windows "new folder" icon for its copies. This may cause the file to appear as if it were a new folder rather than an executable file, luring you into inadvertently running the worm.
Worm:Win32/Brontok.AS@mm creates the following folders that contain components that the worm uses to send spam emails, including email addresses:
- %APPDATA%\Bron.tok-<random number>-<random number>, for example Bron.tok-9-10
- %APPDATA%\loc.mail.bron.tok
- %APPDATA%\Ok-SendMail-Bron-tok
It may also create the following files:
- %APPDATA%\bronfoldnetdomlist.txt - the worm uses this file to store information about your computer, such as your computer's name
- %APPDATA%\bronnetdomlist.bat - the worm uses this file to remove its original files from your computer after it has installed itself
- %APPDATA%\bronnpath0.txt - the worm uses this file to store the shared network folder paths that it uses for spreading
- %APPDATA%\Kosong.Bron.Tok.txt - the worm stores information about itself in this file, such as the author of the worm
- %USERPROFILE%\My Documents\My Pictures\about.Brontok.A.html - the worm stores the text it uses in the email it sends out in this file
Worm:Win32/Brontok.AS@mm modifies the following registry entries to ensure that its copy runs at each Windows start:
In subkey: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
Sets value: "AlternateShell"
With data: "cmd-bro-olx.exe"
In subkey: HKCU\software\microsoft\windows\currentversion\run
Sets value: "Tok-Cirrhatus"
With data: "%APPDATA%\smss.exe"
In subkey: HKCU\software\microsoft\windows\currentversion\run
Sets value: "Tok-Cirrhatus-3444"
With data: "%APPDATA%\br7911on.exe"
In subkey: HKLM\software\microsoft\windows\currentversion\run
Sets value: "Bron-Spizaetus"
With data: "%windir%\shellnew\sempalong.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe "%windir%\berasjatah.exe""
Worm:Win32/Brontok.AS@mm may create the following scheduled task to ensure the worm (either %USERPROFILE%\Templates\Brengkolang.com or %USERPROFILE%\Templates\WowTumpeh.com) runs every day:
%windir%\Tasks\At1.job
Spreads via...
Email messages
Worm:Win32/Brontok.AS@mm searches for email addresses in files with the following extensions:
- .ASP
- .CFM
- .CSV
- .DOC
- .EML
- .exe
- .HTM
- .HTML
- .HTT
- .PHP
- .PPT
- .TXT
- .WAB
- .XLS
It stores the email address it finds in a file in the folder "%APPDATA%\loc.mail.bron.tok". Worm:Win32/Brontok.AS@mm sends emails messages to these addresses.
The emails may contain a message in Indonesian, in the following format:
- Subject: (no subject)
- From: (any of the following)
- Berita_ <two numbers>@kafegaul.com
- GaulNew_ <two numbers>@kafegaul.com
- HotNews_ <two numbers>@playboy.com
- Movie_ <two numbers>@playboy.com
- Attachment: (any of the following executable files)
- rundll32.exe
- Systray.exe
- tskmgr.exe
- winword.exe
- xpshare.exe
Removable drives and shared folders
Worm:Win32/Brontok.AS@mm copies itself to all removable drives and shared folders on your computer, as well as the following locations:
- My Data Sources
- My Documents
- My Ebooks
- My Music
- My Pictures
- My Shapes
- My Videos
It names its copies by using existing file names in these folders and adding ".exe" to the end of the file name. For example, if a file in one of the folders is called "example.jpg", then the worm places a copy of itself in that folder with the file name "example.jpg.exe".
Note that it does not overwrite the existing file, rather it uses the existing file's name to name the worm copy. It may do this in an attempt to fool you into thinking the worm copies are in fact legitimate files.
Payload
Connects to a remote server
Worm:Win32/Brontok.AS@mm checks if your computer is connected to the Internet by connecting to the following URLs:
- google.com
- yahoo.com
If your computer is connected to the Internet, the worm attempts to download abritrary files from the following URLs:
- geocities.com/<removed>ji1/
- geocities.com/<removed>lu3/
- geocities.com/<removed>ro2/
- geocities.com/<removed>pt4/
Note: At the time of analysis, these URLs were not available. Therefore, we are not able to confirm the nature of the downloaded files.
Modifies system settings
Worm:Win32/Brontok.AS@mm modifies your computer's system settings by making a number of registry modifications.
It changes the way hidden files are displayed in Windows Explorer:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: "0"
It removes the Folder Options item from all Windows Explorer menus and the Control Panel:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoFolderOptions"
With data: "1"
It disables the use of registry editors:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableRegistryTools"
With data: "1"
It bypasses the proxy server:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Sets value: "ProxyBypass"
With data: "1"
Modifies system files
Worm:Win32/Brontok.AS@mm may create the following file, or modify it if it exists:
C:\autoexec.bat
by adding the command "pause" into it.
The worm may modify this file in order to display a message or cause your computer to pause during its start up.
Analysis by Hyun Choi
Last update 08 January 2013