Win32.Brontok.A@mm

( W32/Rontokbro.gen@MM, W32.Rontokbro@mm, Worm/Brontok.a, Email-Worm.Win32.Brontok.a )
Propagation : medium
Dégât : medium
Size: 42,028
Détecté : 2005 Oct 14

SYMPTOMS:

  • You can't start Regedit.exe
  • When trying to start any other registry editor, the system restarts
  • The system also restarts when executing certain EXE files
  • The presence of the following files:
  • %WINDIR%\eksplorasi.pif
  • %UserProfile%\Local Settings\Application Data\smss.exe
  • %UserProfile%\Local Settings\Application Data\services.exe
  • %UserProfile%\Local Settings\Application Data\lsass.exe
  • %UserProfile%\Local Settings\Application Data\csrss.exe
  • %UserProfile%\Local Settings\Application Data\inetinfo.exe
  • %UserProfile%\Local Settings\Application Data\winlogon.exe
  • %UserProfile%\Start Menu\Programs\Startup\Empty.pif
  • %UserProfile%\Templates\WowTumpeh.com
  • %WINDIR%\%CURRENT_USER%'s Setting.scr
  • %WINDIR%\ShellNew\bronstab.exe
  •  
All these files have the size of the worm's main executable: 42,028 bytes.

TECHNICAL DESCRIPTION:

The worm comes as an attachment in an infected email, that looks like this:

Subject: (empty)
Message:
BRONTOK.A  [ By: HVM31-Jowobot #VM Community ]
-- Hentikan kebobrokan di negeri ini --
1. Adili Koruptor, Penyelundup, Tukang Suap, Penjudi, & Bandar NARKOBA
( Send to "NUSAKAMBANGAN")
2. Stop Free Sex, Absorsi, & Prostitusi
3. Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar.
4. SAY NO TO DRUGS !!!
-- KIAMAT SUDAH DEKAT --
Terinspirasi oleh: Elang Brontok (Spizaetus Cirrhatus) yang hampir punah[
By: HVM31-Jowobot #VM Community--
Attachment: Kangen.exe

The attached file has an icon that imitates an usual Windows folder:


If executed, an Explorer window with My Documents folder is open. The worm installs itself in the locations specified in the Symptoms section.

The worm starts scanning files having the following extensions in order to gather email addresses to havest:
  • asp
  • cfm
  • csv
  • doc
  • eml
  • html
  • php
  • txt
  • wab
It will not consider the adresses mathing the following strings:
  • ADMIN AHNLAB  ALADDIN  ALERT  ALWIL  ANTIGEN
  • ASSOCIATE  AVAST  AVIRA  BILLING@  BUILDER
  • CILLIN  CONTOH  CRACK  DATABASE  DEVELOP
  • ESAFE  ESAVE  ESCAN  EXAMPLE  GRISOFT  HAURI
  • INFO@  LINUX  MASTER  MICROSOFT  NETWORK
  • NOD32  NORMAN  NORTON  PANDA  PROGRAM
  • PROLAND  PROTECT  ROBOT  SECURITY  SOURCE
  • SYBARI  SYMANTEC  TRUST  UPDATE  VAKSIN
  • VAKSIN  VIRUS
The email addresses are gathered into the following folder
  • %UserProfile%\Local Settings\Application Data\Loc.Mail.Bron.Tok
This folder will contain as many files as the email addresses the worm found. Those files are named by the following pattern: found@email.address.ini

In the same folder as the one specified above, the worm creates the following ones, that it will use at the mass-mailing process:
  • Ok-SendMail-Bron-tok
  • Bron.tok-[x]-[y]  (where x and y are two random numbers)
The worm also creates a task in C:\%WINDIR%\Tasks, that will execute a copy of it (WowTumpeth.com) every day, at 5:08PM.

In order to assure it is executed at every system startup, it creates the following registry entries:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Bron-Spizaetus" = "%Windir%\ShellNew\bronstab.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus" = "%UserProfile%\Local Settings\Application Data\smss.exe"
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe %Windir%\eksplorasi.pif"

It will disable Folder Options in Windows Explorer, by setting the following Registry value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions"="1"

And will also disable Regedit:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"="1"

The following entries will be set at the specified values:
[HKCU\Software\Microsoft\Windows\CurrentVersion\explorer\advanced]
"Hidden"="0"
"ShowSuperHidden"="0"
"HideFileExt"="1"

When the worm is in memory, if it finds any window that contains "Registry" or ".EXE", it will restart the computer.

Removal instructions:

Method 1: Let BitDefender deletes the files it finds infected with the worm.
Method 2: Download and run the removal tool, using the link at the top of this page.

The removal tool will:
  • Find any Brontok-infected files on your computer
  • Kill the worm's processes
  • Restore acess to Regedit
  • Restore access to Folder Options
  • Restore the default values for those entries that the worm changes.
  • Delete (or fix) the startup entries related to the worm.

ANALYZED BY:

Raul Tosa, BitDefender virus researcher