This is the worm that comes as an attachment named Kangen.exe in the email. When executed this will open the documents folder and loads itself in user profiles and current user section. It consists of following the email-
Message:
BRONTOK.A [ By: HVM31-Jowobot #VM Community ]
-- Hentikan kebobrokan di negeri ini --
1. Adili Koruptor, Penyelundup, Tukang Suap, Penjudi, & Bandar NARKOBA
( Send to "NUSAKAMBANGAN")
2. Stop Free Sex, Absorsi, & Prostitusi
3. Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar.
4. SAY NO TO DRUGS !!!
-- KIAMAT SUDAH DEKAT --
Terinspirasi oleh: Elang Brontok (Spizaetus Cirrhatus) yang hampir punah[
By: HVM31-Jowobot #VM Community--
-- Hentikan kebobrokan di negeri ini --
1. Adili Koruptor, Penyelundup, Tukang Suap, Penjudi, & Bandar NARKOBA
( Send to "NUSAKAMBANGAN")
2. Stop Free Sex, Absorsi, & Prostitusi
3. Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar.
4. SAY NO TO DRUGS !!!
-- KIAMAT SUDAH DEKAT --
Terinspirasi oleh: Elang Brontok (Spizaetus Cirrhatus) yang hampir punah[
By: HVM31-Jowobot #VM Community--
Attachment: Kangen.exe
The worm starts scanning the system for the files with the extensions havest to gather the email addresses :
- asp
- cfm
- csv
- doc
- eml
- html
- php
- txt
- wab
The email addresses are gathered into following folder %UserProfile%\Local Settings\Application Data\Loc.Mail.Bron.Tok which contain as many files as the email addresses the worm found. Those files are named by the following pattern: found@email.address.ini .This will also create a task in C:\%WINDIR%\Tasks, that will execute a copy of it (WowTumpeth.com) every day, at 5:08PM and uses the mass mailing process
- Ok-SendMail-Bron-tok
- Bron.tok-[x]-[y]
It will create an entry in run folder to execute the task at every system start up HKLM\Software\Microsoft\Windows\CurrentVersion\Run, registry will be disabled
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"="1
If we try to open any exe file or regedit it will restart the computer.
Symptoms:
Disable registry editor
Disable registry editor
System restarts when tried to execute ,exe files
Creates entries in the following locations
- %WINDIR%\eksplorasi.pif
- %UserProfile%\Local Settings\Application Data\smss.exe
- %UserProfile%\Local Settings\Application Data\services.exe
- %UserProfile%\Local Settings\Application Data\lsass.exe
- %UserProfile%\Local Settings\Application Data\csrss.exe
- %UserProfile%\Local Settings\Application Data\inetinfo.exe
- %UserProfile%\Local Settings\Application Data\winlogon.exe
- %UserProfile%\Start Menu\Programs\Startup\Empty.pif
- %UserProfile%\Templates\WowTumpeh.com
- %WINDIR%\%CURRENT_USER%'s Setting.scr
- %WINDIR%\ShellNew\bronstab.exe
which makes upto 42,028 bytes.
Removal tools are available for this from famous companies like Bit defender, Symantec, McAfee etc.
0 comments:
Post a Comment