| Malware name | Worm.Brontok.C | | Type | Worm | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | D179DDF4DC0CD208734E588E4561389D | | Static file | no | | Filesize | 42,573 Bytes | Alias names
(also known as) | | Webwasher Proactive | Win32.Malware.gen | | Sophos | W32/Brontok-V | | McAfee | W32/Rontokbro.gen@MM | | CA ETrust | Win32/Robknot!generic |
| | Protection | | Webwasher Anti Malware | 6032.109.x | | Webwasher Proactive | Database Version: 28 |
| | Side effects | - Blocks access to security websites
- Downloads files
- Uses its own Email engine
- Registry modification
| | Propagation | |
|
Description:
Files
It copies itself to the following locations:
• %WINDIR%\ShellNew\sempalong.exe
• %WINDIR%\eksplorasi.exe
• %home%\Local Settings\Application Data\smss.exe
• %home%\Local Settings\Application Data\services.exe
• %home%\Local Settings\Application Data\lsass.exe
• %home%\Local Settings\Application Data\inetinfo.exe
• %home%\Local Settings\Application Data\csrss.exe
• %home%\Start Menu\Programs\Startup\Empty.pif
• %home%\Templates\brengkolang.exe
• %SYSDIR%\
%current username%'s setting.scr
It overwrites a file.
–
%system drive root%\autoexec.bat
With the following contents:
• pause
The following file is created:
– %home%\Local Settings\Application Data\Kosong.Bron.Tok.txt This is a non malicious text file with the following content:
• Brontok.A
By: HVM31
-- JowoBot
VM Community --
Registry
The following registry keys are added in order to run the processes after reboot:
– [HKLM\software\microsoft\windows\currentversion\run]
• "Bron-Spizaetus" = ""c:\winows\ShellNew\sempalong.exe""
– [HKCU\software\microsoft\windows\currentversion\run]
• "Tok-Cirrhatus" = "c:\Documents and Settings\UserLocal Settings\Application Data\smss.exe"
The following registry keys are added:
– [HKCU\software\microsoft\windows\currentversion\Policies\System]
• "DisableCMD" = dword:00000000
• "DisableRegistryTools" = dword:00000001
– [HKCU\software\microsoft\windows\currentversion\Policies\Explorer]
• "NoFolderOptions" = dword:00000001
The following registry keys are changed:
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Old value:
• "Shell" = "Explorer.exe"
New value:
• "Shell" = "Explorer.exe "c:\winows\eksplorasi.exe""
– [HKCU\software\microsoft\windows\currentversion\explorer\advanced]
Old value:
• "ShowSuperHidden" =
%user defined settings% • "HideFileExt" =
%user defined settings% • "Hidden" =
%user defined settings% New value:
• "ShowSuperHidden" = dword:00000000
• "HideFileExt" = dword:00000001
• "Hidden" = dword:00000000
Mailing
Search addresses: It searches the following files for email addresses:
• .HTML; .TXT; .EML; .WAB; .ASP; .PHP; .CFM; .CSV; .DOC; .XLS; .PDF;
.PPT; .HTT
Avoid addresses: It does not send emails to addresses containing one of the following strings:
• .VBS; DOMAIN; HIDDEN; DEMO; DEVELOP; FOO@; KOMPUTER; SENIOR; DARK;
BLACK; BLEEP; FEEDBACK; IBM.; INTEL.; MACRO; ADOBE; FUCK; RECIPIENT;
SERVER; PROXY; ZEND; ZDNET; CNET; DOWNLOAD; HP.; XEROX; CANON;
SERVICE; ARCHIEVE; NETSCAPE; MOZILLA; OPERA; NOVELL; NEWS; UPDATE;
RESPONSE; OVERTURE; GROUP; GATEWAY; RELAY; ALERT; SEKUR; CISCO; LOTUS;
MICRO; TREND; SIEMENS; FUJITSU; NOKIA; W3.; NVIDIA; APACHE; MYSQL;
POSTGRE; SUN.; GOOGLE; SPERSKY; ZOMBIE; ADMIN; AVIRA; AVAST; TRUST;
ESAVE; ESAFE; PROTECT; ALADDIN; ALERT; BUILDER; DATABASE; AHNLAB;
PROLAND; ESCAN; HAURI; NOD32; SYBARI; ANTIGEN; ROBOT; ALWIL; YAHOO;
COMPUSE; COMPUTE; SECUN; SPYW; REGIST; FREE; BUG; MATH; LAB; IEEE;
KDE; TRACK; INFORMA; FUJI; @MAC; SLACK; REDHA; SUSE; BUNTU; XANDROS;
@ABC; @123; LOOKSMART; SYNDICAT; ELEKTRO; ELECTRO; NASA; LUCENT;
TELECOM; STUDIO; SIERRA; USERNAME; IPTEK; CLICK; SALES; PROMO
DoS
Right after it becomes active, it starts DoS attacks against the following destinations:
• http://kaskus.com
• http://17tahun.com
Hosts
The host file is modified as explained:
– In this case existing entries are deleted.
– Access to the following domains is effectively blocked:
• mcafee.com; www.mcafee.com; mcafeesecurity.com;
www.mcafeesecurity.com; mcafeeb2b.com; www.mcafeeb2b.com; nai.com;
www.nai.com; vil.nai.com; grisoft.com; www.grisoft.com;
kaspersky-labs.com; www.kaspersky-labs.com; kaspersky.com;
www.kaspersky.com; downloads1.kaspersky-labs.com;
downloads2.kaspersky-labs.com; downloads3.kaspersky-labs.com;
downloads4.kaspersky-labs.com; download.mcafee.com; grisoft.cz;
www.grisoft.cz; norton.com; www.norton.com; symantec.com;
www.symantec.com; liveupdate.symantecliveupdate.com;
liveupdate.symantec.com; update.symantec.com;
securityresponse.symantec.com; sarc.com; www.sarc.com; vaksin.com;
www.vaksin.com; norman.com; www.norman.com; trendmicro.com;
www.trendmicro.com; trendmicro.co.jp; www.trendmicro.co.jp;
trendmicro-europe.com; www.trendmicro-europe.com;
ae.trendmicro-europe.com; it.trendmicro-europe.com; secunia.com;
www.secunia.com; winantivirus.com; www.winantivirus.com;
pandasoftware.com; www.pandasoftware.com; esafe.com; www.esafe.com;
f-secure.com; www.f-secure.com; europe.f-secure.com; bhs.com;
www.bhs.com; datafellows.com; www.datafellows.com; cheyenne.com;
www.cheyenne.com; ontrack.com; www.ontrack.com; sands.com;
www.sands.com; sophos.com; www.sophos.com; icubed.com; www.icubed.com;
perantivirus.com; www.perantivirus.com; virusalert.nl;
www.virusalert.nl; pagina.nl; www.pagina.nl; antivirus.pagina.nl;
castlecops.com; www.castlecops.com; virustotal.com; www.virustotal.com
The modified host file will look like this:
Miscellaneous
Anti debugging It checks for running programs that contain one of the following strings:
• REGISTRY
• SYSTEM CONFIGURATION
• COMMAND PROMPT
• .EXE
• SHUT DOWN
• SCRIPT HOST
• LOG OFF WINDOWS
• KILLBOX
• TASKKILL
• TASK KILL
• HIJACK
• BLEEPING
File details
Runtime packer: In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
