Home / malwarePDF  

Worm:Win32/Brontok.S@mm


First posted on 12 February 2013.
Source: Microsoft

Aliases :

Worm:Win32/Brontok.S@mm is also known as Win32/Brontok.worm.47347 (AhnLab), Email-Worm.Win32.Brontok.q (Kaspersky), W32/Rontokbro (Norman), Worm/Brontok.C (Avira), Win32.Generic.497796 (BitDefender), Win32.Virut.5 (Dr.Web), Win32/Brontok.EL worm (ESET), W32/Rontokbro.gen@MM (McAfee), W32/Brontok-D (Sophos), W32.Rontokbro@mm (Symantec), WORM_RONTKBR.GEN (Trend Micro).

Explanation :



Installation

When run, Worm:Win32/Brontok.S@mm opens a Windows Explorer window to the "My Documents" folder.

The worm creates copies of itself as the following:

  • %APPDATA%\csrss.exe
  • %APPDATA%\inetinfo.exe
  • %APPDATA%\lsass.exe
  • %APPDATA%\services.exe
  • %APPDATA%\smss.exe
  • %APPDATA%\winlogon.exe
  • %USERPROFILE%\Start Menu\Programs\Startup\empty.pif
  • %USERPROFILE%\Templates\Brengkolang.com
  • %windir%\eksplorasi.exe
  • %windir%\shellnew\sempalong.exe
  • %windir%\system32\%UserName%'s Setting.scr
  • %windir%\system32\drivers\etc\hosts-denied by-%UserName%.com


Note:

  • %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista, 7, and 8, the default location is "C:\Users\<user>\APPDATA\Roaming".
  • %USERPROFILE% refers to a variable location that is determined by the malware by querying the operating system. The default location for the User Profile folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>" or "C:\Users\<user>". For Windows Vista, 7, and 8, the default location is "C:\Users\<user name>".
  • %windir% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Windows folder for Windows 2000, XP, and 2003 is "C:\WinNT"; and for Windows Vista, 7, and 8, it is "C:\Windows".


The worm uses the Windows "new folder" icon for its copies. This may cause the file to appear as if it were a new folder rather than an executable file, luring you into inadvertently running the worm.

Worm:Win32/Brontok.S@mm creates the following folders that contain components that the worm uses to send spam emails, including email addresses:

  • %APPDATA%\Bron.tok-<random number>-<random number>, for example Bron.tok-9-10
  • %APPDATA%\loc.mail.bron.tok
  • %APPDATA%\Ok-SendMail-Bron-tok


It may also create the following files:

  • %APPDATA%\bronfoldnetdomlist.txt - the worm uses this file to store information about your computer, such as your computer's name
  • %APPDATA%\bronnetdomlist.bat - the worm uses this file to remove its original files from your computer after it has installed itself
  • %APPDATA%\bronnpath0.txt - the worm uses this file to store the shared network folder paths that it uses for spreading
  • %APPDATA%\Kosong.Bron.Tok.txt - the worm stores information about itself in this file, such as the author of the worm
  • %USERPROFILE%\My Documents\My Pictures\about.Brontok.A.html - the worm stores the text it uses in the email it sends out in this file


Worm:Win32/Brontok.S@mm modifies the following registry entries to ensure that its copy runs each time you start Windows:

In subkey: HKLM\software\microsoft\windows\currentversion\run
Sets value: "Bron-Spizaetus"
With data: "%windir%\shellnew\sempalong.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe "%windir%\eksplorasi.exe""

In subkey: HKCU\software\microsoft\windows\currentversion\run
Sets value: "Tok-Cirrhatus"
With data: "%APPDATA%\smss.exe"

Worm:Win32/Brontok.S@mm may delete all existing scheduled tasks and create the following scheduled task to ensure the worm (%USERPROFILE%\Templates\Brengkolang.com) runs every day at 17:08:

%windir%\Tasks\At1.job

Spreads via...

Email messages

Worm:Win32/Brontok.S@mm searches for email addresses in files with the following extensions:

  • .ASP
  • .CFM
  • .CSV
  • .DOC
  • .EML
  • .EXE
  • .HTM
  • .HTML
  • .HTT
  • .PDF
  • .PHP
  • .PPT
  • .TXT
  • .WAB
  • .XLS


It stores the email address it finds in a file in the folder "%APPDATA%\loc.mail.bron.tok". Worm:Win32/Brontok.S@mm then sends emails messages to these addresses.

The emails may contain a message in Indonesian, in the following format:

Subject: (no subject)

From: (any of the following)

  • Berita_<two numbers>@kafegaul.com
  • GaulNew_<two numbers>@kafegaul.com
  • HotNews_<two numbers>@playboy.com
  • Movie_<two numbers>@playboy.com


Attachment: (any of the following executable files)

  • rundll32.exe
  • Systray.exe
  • tskmgr.exe
  • winword.exe
  • xpshare.exe


Body: (stored in "%UserProfile%\My Documents\My Pictures\about.Brontok.A.html"; may appear similar to the following)

BRONTOK.A[16]
-- Hentikan kebobrokan di negeri ini --
1. Penjarakan Koruptor, Penyelundup, Tukang Suap, & Bandar NARKOBA ( Send to "NUSAKAMBANGAN")
2. Stop Free Sex, Aborsi, & Prostitusi ( Go To HELL )
3. Stop pencemaran lingkungan, pembakaran hutan & perburuan liar.
4. Stop Pornografi & Pornoaksi
5. SAY NO TO DRUGS !!!
-- KIAMAT SUDAH DEKAT --
Terinspirasi oleh:
Elang Brontok (Spizaetus Cirrhatus) yang hampir punah

Removable drives and shared folders

Worm:Win32/Brontok.S@mm copies itself to all removable drives and shared folders on your computer, as well as the following locations:

  • My Data Sources
  • My Documents
  • My Ebooks
  • My Music
  • My Pictures
  • My Shapes
  • My Videos


It names its copies by using existing file names in these folders and adding ".exe" to the end of the file name. For example, if a file in one of the folders is called "example.jpg", then the worm places a copy of itself in that folder with the file name "example.jpg.exe".

Note that it does not overwrite the existing file, rather it uses the existing file's name to name the worm copy. It may do this in an attempt to fool you into thinking the worm copies are in fact legitimate files.



Payload

Connects to a remote server

Worm:Win32/Brontok.S@mm checks if your computer is connected to the Internet by connecting to the following URLs:

  • google.com
  • yahoo.com


If your computer is connected to the Internet, the worm attempts to download arbitrary files (including update to itself and hosts file) from the following URLs:

  • geocities.com/sblppt4/
  • geocities.com/sbltlu3/


Note: At the time of analysis, these URLs were not available. Therefore, we are not able to confirm the nature of the downloaded files.

Modifies computer settings

Worm:Win32/Brontok.S@mm modifies your computer's system settings by making a number of registry modifications.

It changes the way hidden files are displayed in Windows Explorer:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: "0"

It removes the Folder Options item from all Windows Explorer menus and the Control Panel:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoFolderOptions"
With data: "1"

It disables the use of registry editors:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableRegistryTools"
With data: "1"

It bypasses the proxy server:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Sets value: "ProxyBypass"
With data: "1"

Modifies system files

Worm:Win32/Brontok.S@mm may create the following file, or modify it if it exists:

C:\autoexec.bat

by adding the command "pause" into it.

The worm may modify this file in order to display a message or cause your computer to pause during its start up.

Modifies Hosts File

Worm:Win32/Brontok.S@mm attempts to modify the Windows Hosts file by downloading a copy. The local Hosts file overrides the DNS resolution of a web site URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses.



Analysis by Hyun Choi

Last update 12 February 2013

 

TOP