Installation
Worm:Win32/Brontok.P@mm creates copies of itself in %APPDATA% with the following file names:
- smss.exe
- services.exe
- lsass.exe
- inetinfo.exe
- csrss.exe
- winlogon.exe
It creates a copy in %windir% with the file names:
- shellnew\sempalong.exe
- eksplorasi.exe
It also creates a copy in <start menu>\Programs\Startup\Empty.pif and %USERPROFILE%\Templates\Brengkolang.com.
Worm:Win32/Brontok.P@mm creates the following folders to store spam email addresses:
- %APPDATA%\Bron.tok-<random number>-<random number>, for example Bron.tok-12-6
- %APPDATA%\Loc.Mail.Bron.Tok
- %APPDATA%\Ok-SendMail-Bron-tok
It also creates the following files:
- %APPDATA%\BronFoldNetDomList.txt - Stores shared folder information about any computers it finds in the network
- %APPDATA%\BronNetDomList.bat - Stores information about collected network shares of computers found in the network
- %APPDATA%\BronNPath0.txt - Stores details of shared network folder paths
- %APPDATA%\Kosong.Bron.Tok.txt - Contains information about the worm itself, such as the author
- %USERPROFILE%\Pictures\about.Brontok.A.html - Contains text information, written in Indonesian
Worm:Win32/Brontok.P@mm modifies the following registry entries to make sure that its copy runs each time Windows starts:
In subkey: HKCU\software\microsoft\windows\currentversion\run
Sets value: "Tok-Cirrhatus"
With data: "%APPDATA%\local\smss.exe"
In subkey: HKLM\software\microsoft\windows\currentversion\run
Sets value: "Bron-Spizaetus"
With data: "%windir%\shellnew\sempalong.exe"
In subkey: HKLM\software\microsoft\windows nt\currentversion\winlogon
Sets value: "Shell"
With data: "Explorer.exe %windir%\eksplorasi.exe"
Worm:Win32/Brontok.P@mm creates the following scheduled task to make sure it runs every day:
- "at <time> /every:M,T,W,Th,F,S,Su "%Templates%\Brengkolong.com"
Spreads via
Email messages
Worm:Win32/Brontok.P@mm searches for email addresses in files with the following extensions:
- .ASP
- .CFM
- .CSV
- .DOC
- .EML
- .EXE
- .HTM
- .HTML
- .HTT
- .PDF
- .PHP
- .PPT
- .TXT
- .WAB
- .XLS
The worm stores the email addresses that it finds in a file in the folder %APPDATA%\loc.mail.bron.tok.
It sends email messages to these addresses and attaches a copy of itself. We have seen this worm in attachments with names such as winword.exe and xpshare.exe.
Removable drives and shared folders
Worm:Win32/Brontok.P@mm can copy itself to all removable drives and shared folders on your computer, as well as the following %USERPROFILE% locations:
- My Data Sources
- My Documents
- My Ebooks
- My Music
- My Pictures
- My Shapes
- My Videos
Payload
Connects to a remote server
Worm:Win32/Brontok.P@mm checks if your computer is connected to the Internet by connecting to the following URLs:
If an Internet connection is available, the worm attempts to contact the following URLs to download executable files, including other malware:
- <removed>.com/sbjsji1/
- <removed>.com/sbllrro2/
- <removed>.com/sbltllu3/
- <removed>.com/sblppt4/
- <removed>.com/sbllma5/
Note: At the time of analysis, these URLs were not available.
Modifies system settings
The worm modifies the following registry entries to disable registry editing and to hide itself:
In subkey: HKCU\software\microsoft\windows\currentversion\policies\explorer
Sets value: "NoFolderOptions"
With data: "1"
In subkey: HKCU\software\microsoft\windows\currentversion\policies\system
Sets value: "DisableRegistryTools"
With data: "1"
In subkey: HKCU\software\microsoft\windows\currentversion\policies\system
Sets value: "DisableCMD"
With data: "0"
In subkey: HKCU\software\microsoft\windows\currentversion\explorer\advanced
Sets value: "Hidden"
With data: "0"
In subkey: HKCU\software\microsoft\windows\currentversion\explorer\advanced
Sets value: "HideFileExt"
With data: "1"
In subkey: HKCU\software\microsoft\windows\currentversion\explorer\advanced
Sets value: "ShowSuperHidden"
With data: "0"
Analysis by Steven Zhou.