Worm:Win32/Brontok.AB@mm is a worm that spreads via e-mail and removable drives. The worm spreads by sending a copy of itself as an e-mail attachment to e-mail addresses that it gathers from files on the infected computer. It can also copy itself to USB and pen drives. Win32/Brontok can disable antivirus and security software, immediately terminate certain applications, and cause Windows to restart immediately when certain applications run. The worm may also conduct Denial of Service (DoS) attacks against certain web sites.
For more details about the Win32/Brontok family, visit this link:
Installation
Worm:Win32/Brontok.AB@mm may be received as an attachment to an e-mail message with a spoofed 'From' address.
When executed, the worm opens a new Windows Explorer window (to simulate opening a folder) and then drops the following files:
-
%HOMEPATH%\Local Settings\Application Data\csrss.exe
-
%HOMEPATH%\Local Settings\Application Data\inetinfo.exe
-
%HOMEPATH%\Local Settings\Application Data\lsass.exe
-
%HOMEPATH%\Local Settings\Application Data\services.exe
-
%HOMEPATH%\Local Settings\Application Data\winlogon.exe
-
%HOMEPATH%\Start Menu\Programs\Startup\Empty.pif
-
%HOMEPATH%\Templates\WowTumpeh .com
-
%windir%\system32\UserName’s Setting.scr
Additionally, Win32/Brontok.AB may create the following folders:
-
%HOMEPATH%\Local Settings\Application Data\Bron.tok-10-12
-
%HOMEPATH%\Local Settings\Application Data\Loc.Mail.Bron.Tok
-
%HOMEPATH%\Local Settings\Application Data\Ok-SendMail-Bron-tok
Worm:Win32/Brontok.AB@mm drops a copy of itself into the Startup folder, as mentioned above, so that it executes at each Windows start. Additionally, this worm may modify the registry to execute its copy at each Windows start.
Adds value: "Tok-Cirrhatus"
With data: <path to Win32/Brontok worm>
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "Bron-Spizaetus"
With data: <path to Win32/Brontok worm>
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Worm:Win32/Brontok.AB@mm also adds a scheduled task to execute a copy of the worm every day at 17:08 (5:08 p.m.). The task is created by the worm using the function NetScheduleJobAdd. The task is created as the following file:
%windir%\Tasks\At1.job
The scheduled job executes the worm copy '%homepath%\Templates\WowTumpeh.com'.
Spreads Via…
E-mail
Worm:Win32/Brontok.AB@mm may gather e-mail addresses to send itself to from files with the following extensions:
-
.asp
-
.cfm
-
.csv
-
.doc
-
.eml
-
.htm
-
.php
-
.txt
-
.wab
-
.xls
The worm sends e-mail with itself attached to all harvested e-mail addresses. The 'from' e-mail address is spoofed with one of the following addresses, where '<number>' is a numeral:
-
Berita_<number>@kafegaul.com
-
GaulNews_<number>@kafegaul.com
-
Movie_<number>@playboy.com
-
HotNews_<number>@ playboy.com
Payload
Lowers System Security
Worm:Win32/Brontok.AB@mm may attempt to lower security settings by modifying the registry.
-
Stops users from accessing the Windows utility Registry Editor:
Adds value: DisableRegistryTools
With data: 1
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
-
Prevents the display of files and folders with the 'hidden' file attribute set:
Adds value: Hidden
With data: 0
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
-
Prevents the display of hidden Windows system files:
Adds value: ShowSuperHidden
With data: 0
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
-
Prevents the display of executable file extensions:
Adds value: HideFileExt
With data: 1
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
-
Prevents access to the Folder Options menu item in Windows Explorer:
Adds value: NoFolderOptions
With data: 1
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Modifies Windows Hosts File
Worm:Win32/Brontok.AB@mm may modify the Windows HOSTS file to prevent access to certain Internet sites, the majority of which are antivirus or security-related.
Performs Denial of Service Attacks
Worm:Win32/Brontok.AB@mm may initiate ping attacks against predefined web sites, presumably to cause a denial of service (DoS) (when performed in concert with other infected clients).
Terminates Applications
Worm:Win32/Brontok.AB@mm may terminate applications, or restart Windows, when the title of the active window contains certain character strings. The predefined list of strings may be related to antivirus or system tools that might ordinarily be used to detect or remove the worm.
Analysis by Wei Li