Home / malware Win32.Brontok.MO
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Brontok.MO is also known as (Symantek.
Explanation :
When launched the malware creates copies of itself in the locations:
%USERPROFILE%\%SETTINGS%\%APPDATA% folder using one of the next names: winlogon.exe; services.exe; lsass.exe; inetinfo.exe; csrss.exe; smss.exe; smss.exe, services.exe, lsass.exe, inetinfo.exe, csrss.exe
%WINDIR%ShellNew[random_name].exe
%WINDIR%eksplorasi.exe
Each copies from %USERPROFILE%\%SETTINGS%\%APPDATA% performs its own malware actions when executed.
The below startup registry keys are added:
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
Shell = Explorer.exe "%WINDIR%eksplorasi.exe"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
Bron-Spizaetus = "%WINDIR%ShellNew[random_name].exe"
To prevent form being removed by the user,it disables Task Manager, Registry Editor and Folder Options:
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplore
NoFolderOptions = 0x00000001
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
DisableCMD = 0x00000000
DisableRegistryTools = 0x00000001
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced
ShowSuperHidden = 0x00000000
HideFileExt = 0x00000001
If the current working window contains one of the following strings it will shutdown the system: SECURE, SUPPORT, MASTER, MICROSOFT, VIRUS, HACK, CRACK, LINUX, AVG, GRISOFT, CILLIN, SECURITY, SYMANTEC, ASSOCIATE, VAKSIN, NORTON, NORMAN, PANDA, SOFT, SPAM, BLAH
The hosts file (%SYSTEM%driversetchosts) will be replaced with a downloaded version from:
http://www.geocities.com/[removed]/Host10.txt (unavailable)
It will also download the following files
%USERPROFILE%\%SETTINGS%\%APPDATA%Update.10.Bron.Tok.bin
from: http://www.geocities.com/[removed]/BrontokInf10.txt
%USERPROFILE%\%SETTINGS%\%APPDATA%Bron.tok.A10.em.bin
from: http://www.geocities.com/[removed]/Bron-ID10.txt
The worm tries to spread itself via email (as attachment) using an embedded SMTP engine. It will search for mail addresses in files having the extension HTM ,HTML, TXT, EML, WAB, ASP, PHP, CFM, CSV or DOC. The sent mail contains the message
Brontok.A
By: HVM31
-- JowoBot #VM Community --
and the attachment has one of the names: winword.exe, kangen.exe, ccapps.exe, syslove.exe,kangen.exe, untukmu.exe, myheart.exe, my heart.exe, jangan dibuka.exeLast update 21 November 2011