SecurityHome.eu Net-Worm:W32/Brontok.B

Home / malware PDF

Net-Worm:W32/Brontok.B

First posted on 18 June 2007.
Source: SecurityHome
Aliases :
Net-Worm:W32/Brontok.B is also known as Brontok.b, Worm.Win32.Brontok.b.
Explanation :
Net-Worm:W32/Brontok.B copies a file to the Windows folder, creates a Registry key to start the file automatically, and copies itself to startup folders.

Net-Worm:W32/Brontok.B disables certain features of the operating system.

On execution, the first noticeable characteristic from this malware is the termination of applications such as CMD, regedit, and other EXE files.

The following are the files being dropped:

C:AUTORUN.INF
C:Documents and Settings\Local SettingsTemp~DF1A17.tmp
C:Documents and SettingsAll UsersStart MenuPrograms
StartupEmpty.pif
C:WINDOWSAutorun.inf
C:WINDOWSWebshell.exe
C:WINDOWSwinme.exe
C:winme.exe

To automatically start with Windows, the following registry entry is created:

[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
winme = C:WINDOWSwinme.exe

Added registry entry:

[HKCRlnkfileshellopencommand]
(default) = "C:WINDOWSwebshell.exe" "%1" %*

It also modifies these registry entries with the following data:

[HKCRatfileshellopencommand]
(default) = "C:WINDOWSwebshell.exe" "%1" %*
[HKCRcomfileshellopencommand]
(default) = "C:WINDOWSwebshell.exe" "%1" %*
[HKCRexefileshellopencommand]
(default) = "C:WINDOWSwebshell.exe" "%1" %*
[HKCRpiffileshellopencommand]
(default) = "C:WINDOWSwebshell.exe" "%1" %*
[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced]
Hidden = 1
HideFileExt = 1
ShowSuperHidden = 1
[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
DisableTaskMgr = 1
DisableRegistryTools = 1
DisableCMD = 1
[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer]
Nofolderoptions = 1
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem]
DisableTaskMgr = 1
DisableRegistryTools = 1
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer]
NoFolderOptions = 1
[HKLMSOFTWAREPoliciesMicrosoftWindowsInstaller]
DisableMSI = 1
[HKLMSOFTWAREPoliciesMicrosoftWindows NTSystemRestore]
DisableConfig = 1
DisableSR = 1
[HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
Shell = Explorer.exe "C:WINDOWSwinme.exe"
Userinit = C:WINDOWSSystem32userinit.exe,C:WINDOWSwinme.exe
[HKLMSYSTEMControlSet001ControlSafeBoot
AlternateShell = C:WINDOWSwinme.exe
[HKLMSYSTEMCurrentControlSetControlSafeBoot
AlternateShell = C:WINDOWSwinme.exe

Processes with the following strings are also terminated by this malware:

ANT
ASM
AVAST
BUG
CONF
CONSO
DBG
DETEC
INSTALL
KASP
MCAFEE
NOD
NORTON
NTVDM
OPEN
PLAY
PROC
REG
REMOV
SCAN
SECUR
SUPPO
TASK
UPDAT
UPG
VIR
W32
WALK

It may also open a browser attempting to connect to the following URLs:

http://security.symantec.com
http://www.symantec.com

It will also create AUTORUN.INF files and copy itself to available removable media (USB drives) to allow itself to propagate.

Furthermore, this malware will not do any system changes if its filename is any of the following:

AutoPro.exe
mdefault.exe
mcagent.exe
mcshield.exe

Last update 18 June 2007

TOP

Net-Worm:W32/Brontok.B

Aliases :

Explanation :

Malware :

Family: