Home / malware Worm:Win32/Brontok.BU@mm
First posted on 07 March 2019.
Source: MicrosoftAliases :
Worm:Win32/Brontok.BU@mm is also known as Win32/Robknot.T, Email-Worm.Win32.Brontok.q, W32/Rontokbro.gen@MM, W32/Rontokbro.CJ@mm, W32/Brontok-D, Email-Worm.Win32.Brontok.a, W32.Rontokbro.K@mm, WORM_RONTOKBRO.U.
Explanation :
Worm:Win32/Brontok.BU@mm is a mass-mailing e-mail worm that spreads by sending a copy of itself as an e-mail attachment to e-mail addresses that it gathers from files on the infected computer. Worm:Win32/Brontok.BU@mm can also copy itself to USB and pen drives. This worm can disable antivirus and security software, immediately terminate certain applications, and cause Windows to restart immediately when certain applications run. This worm may conduct denial of service (DoS) attacks against certain Web sites. In most cases, Worm:Win32/Brontok use the Windows 'new folder' icon for the worm files. By default, Windows suppresses the extension on executable files. Even if this feature has been disabled, Worm:Win32/Brontok variants disable executable file extension viewing. This, in conjunction with the use of the 'new folder' icon, can cause the file to appear as if it were a new folder rather than an executable file. An unsuspecting user clicking on the "folder" to view its contents thereby inadvertently runs the worm file. To further promote the impression that the worm file is merely a folder, a new Explorer window is opened when the worm is run. When Worm:Win32/Brontok.BU@mm is run, it performs the following actions: Drops copies of itself to various folders:
%AppData%winlogon.exe
%AppData%services.exe
%AppData%lsass.exe
%AppData%inetinfo.exe
%AppData%csrss.exe
%AppData%smss.exe
%UserProfile%Start MenuProgramsStartupEmpty.pif
%UserProfile%TemplatesBrengkolang.com
%WinDir%eksplorasi.exe
%WinDir%ShellNewsempalong.exe
\%UserName%'s Setting.scr Copies itself to network shares and removable drives Gathers e-mail addresses from files with these file extensions:
.HTML
.HTM
.TXT
.EML
.WAB
.ASP
.PHP
.CFM
.EML
.CSV
and does not gather e-mail addresses containing any of these strings:
PLASA
TELKOM
INDO
.CO.ID
.GO.ID
.MIL.ID
.SCH.ID
.NET.ID
.OR.ID
.AC.ID
.WEB.ID
.WAR.NET.ID
ASTAGA
GAUL
BOLEH
EMAILKU
SATU Constructs e-mail addresses using a table of data to form specific elements:
From: (any of the following, where # is a random number)
Berita_# @ kafegaul.com
GaulNews_# @ kafegaul.com
Movie_# @ playboy.com
HotNews_# @ playboy.com
Subject: (blank)
Attachment filename: (any of the following)
winword.exe
kangen.exe
ccapps.exe
syslove.exe
untukmu.exe
myheart.exe
my heart.exe
jangan kibuka.exe
Message body (HTML format)
BRONTOK.A[10] [ By: HVM31 -- JowoBot #VM Community ]
-- Hentikan kebobrokan di negeri ini --
1. Penjarakan Koruptor, Penyelundup, Tukang Suap, & Bandar NARKOBA
( Send to "NUSAKAMBANGAN")
2. Stop Free Sex, Aborsi, & Prostitusi
( Go To HELL )
3. Stop pencemaran lingkungan, pembakaran hutan & perburuan liar.
4. SAY NO TO DRUGS !!!
-- KIAMAT SUDAH DEKAT --
Terinspirasi oleh:
Elang Brontok (Spizaetus Cirrhatus) yang hampir punah
[ By: HVM31 ]
-- JowoBot #VM Community --
!!! Akan Kubuat Mereka (VM lokal yg cengeng & bodoh) Terkapar !!! Terminates processes containing any of these file names:
mcvsescn.exe
poproxy.exe
avgemc.exe
ccapps.exe
tskmgr.exe
syslove.exe
xpshare.exe
riyani_jangkaru.exe
systray.exe Checks for Internet connectivity by testing connection attempts to the Web sites Google or Yahoo Downloads a replacement hosts file from remote Web sites - the replacement hosts file blocks attempts to visit numerous security Web sites Replaces the contents of c:autoexec.bat with the Batch instruction "pause" such that at boot-up, the computer will pause with the message "Press any key to continue…". The boot-up window may not be visible, or is overshadowed by the Windows boot-up bitmap image, causing the system to appear in a hung state. Modifies the registry to start the worm at each Windows startup:
Adds value: Tok-Cirrhatus
With data: %AppData%smss.exe
To subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
Adds value: Bron-Spizaetus
With data: %WinDir%ShellNewsempalong.exe
To subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
Modifies value: Shell
With data: Explorer %WinDir%exsplorasi.exe
To subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon Adds a scheduled task to run %UserProfile%TemplatesBrengkolang.com each day at 5:08 p.m. Worm:Win32/Brontok.BU@mm may attempt to lower security settings by making the following changes: Prevents the user from accessing the Registry Editor by making the following registry edit: Adds value: DisableRegistryTools
With data: 1
In subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem Prevents the display of files and folders with the 'hidden' attribute set: Adds value: Hidden
With data: 0
In subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced Prevents the display of Windows system files: Adds value: ShowSuperHidden
With data: 0
In subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced Prevents the display of executable file extensions: Adds value: HideFileExt
With data: 1
In subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced Prevents access to the Folder Options menu: Adds value: NoFolderOptions
With data: 1
In subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer Worm:Win32/Brontok.BU@mm may perform these additional actions: Modifies the Windows HOSTS file to prevent access to certain Internet sites, the majority of which are antivirus or security-related. Attempts ping attacks against certain Web sites, presumably to launch a form of denial of service (DoS) attack.Last update 07 March 2019