Home / malwarePDF  

Win32.Brontok.A@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Brontok.A@mm is also known as W32/Rontokbro.gen@MM, W32.Rontokbro@mm, Worm/Brontok.a, Email-Worm.Win32.Brontok.a.

Explanation :

The worm comes as an attachment in an infected email, that looks like this:

Subject: (empty)
Message:
BRONTOK.A [ By: HVM31-Jowobot #VM Community ]
-- Hentikan kebobrokan di negeri ini --
1. Adili Koruptor, Penyelundup, Tukang Suap, Penjudi, & Bandar NARKOBA
( Send to "NUSAKAMBANGAN")
2. Stop Free Sex, Absorsi, & Prostitusi
3. Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar.
4. SAY NO TO DRUGS !!!
-- KIAMAT SUDAH DEKAT --
Terinspirasi oleh: Elang Brontok (Spizaetus Cirrhatus) yang hampir punah[
By: HVM31-Jowobot #VM Community--
Attachment: Kangen.exe

The attached file has an icon that imitates an usual Windows folder:


If executed, an Explorer window with My Documents folder is open. The worm installs itself in the locations specified in the Symptoms section.

The worm starts scanning files having the following extensions in order to gather email addresses to havest:
asp cfm csv doc eml html php txt wab It will not consider the adresses mathing the following strings:
ADMIN AHNLAB ALADDIN ALERT ALWIL ANTIGEN ASSOCIATE AVAST AVIRA BILLING@ BUILDER CILLIN CONTOH CRACK DATABASE DEVELOP ESAFE ESAVE ESCAN EXAMPLE GRISOFT HAURI INFO@ LINUX MASTER MICROSOFT NETWORK NOD32 NORMAN NORTON PANDA PROGRAM PROLAND PROTECT ROBOT SECURITY SOURCE SYBARI SYMANTEC TRUST UPDATE VAKSIN VAKSIN VIRUS The email addresses are gathered into the following folder
%UserProfile%Local SettingsApplication DataLoc.Mail.Bron.Tok This folder will contain as many files as the email addresses the worm found. Those files are named by the following pattern: found@email.address.ini

In the same folder as the one specified above, the worm creates the following ones, that it will use at the mass-mailing process:
Ok-SendMail-Bron-tok Bron.tok-[x]-[y] (where x and y are two random numbers) The worm also creates a task in C:\%WINDIR%Tasks, that will execute a copy of it (WowTumpeth.com) every day, at 5:08PM.

In order to assure it is executed at every system startup, it creates the following registry entries:

[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
"Bron-Spizaetus" = "%Windir%ShellNewronstab.exe"

[HKCUSoftwareMicrosoftWindowsCurrentVersionRun] "Tok-Cirrhatus" = "%UserProfile%Local SettingsApplication Datasmss.exe"

[HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon]
"Shell"="Explorer.exe %Windir%eksplorasi.pif"

It will disable Folder Options in Windows Explorer, by setting the following Registry value:
[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer]
"NoFolderOptions"="1"

And will also disable Regedit: [HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
"DisableRegistryTools"="1"

The following entries will be set at the specified values:
[HKCUSoftwareMicrosoftWindowsCurrentVersionexploreradvanced]
"Hidden"="0"
"ShowSuperHidden"="0"
"HideFileExt"="1"

When the worm is in memory, if it finds any window that contains "Registry" or ".EXE", it will restart the computer.

Last update 21 November 2011

 

TOP