December 29, 2010

Brontock

This is the worm that comes as an attachment named Kangen.exe in the email. When executed this will open the documents folder and loads itself in user profiles and current user section. It consists of following the email-

Message:

BRONTOK.A  [ By: HVM31-Jowobot #VM Community ]
-- Hentikan kebobrokan di negeri ini --
1. Adili Koruptor, Penyelundup, Tukang Suap, Penjudi, & Bandar NARKOBA
( Send to "NUSAKAMBANGAN")
2. Stop Free Sex, Absorsi, & Prostitusi
3. Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar.
4. SAY NO TO DRUGS !!!
-- KIAMAT SUDAH DEKAT --
Terinspirasi oleh: Elang Brontok (Spizaetus Cirrhatus) yang hampir punah[
By: HVM31-Jowobot #VM Community--
Attachment: Kangen.exe

The worm starts scanning the system for the files with the extensions havest to gather the email addresses : 
  • asp
  • cfm
  • csv
  • doc
  • eml
  • html
  • php
  • txt
  • wab

 The email addresses are gathered into following folder %UserProfile%\Local Settings\Application Data\Loc.Mail.Bron.Tok which contain as many files as the email addresses the worm found. Those files are named by the following pattern: found@email.address.ini .This will also create a task in C:\%WINDIR%\Tasks, that will execute a copy of it (WowTumpeth.com) every day, at 5:08PM and uses the mass mailing process 
  • Ok-SendMail-Bron-tok
  • Bron.tok-[x]-[y] 
 It will create an entry in run folder to execute the task at every system start up HKLM\Software\Microsoft\Windows\CurrentVersion\Run, registry will be disabled
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"="1 

If we try to open any exe file or regedit it will restart the computer.

Symptoms:
Disable registry editor
System restarts when tried to execute ,exe files 
Creates entries in the following locations 
  • %WINDIR%\eksplorasi.pif
  • %UserProfile%\Local Settings\Application Data\smss.exe
  • %UserProfile%\Local Settings\Application Data\services.exe
  • %UserProfile%\Local Settings\Application Data\lsass.exe
  • %UserProfile%\Local Settings\Application Data\csrss.exe
  • %UserProfile%\Local Settings\Application Data\inetinfo.exe
  • %UserProfile%\Local Settings\Application Data\winlogon.exe
  • %UserProfile%\Start Menu\Programs\Startup\Empty.pif
  • %UserProfile%\Templates\WowTumpeh.com
  • %WINDIR%\%CURRENT_USER%'s Setting.scr
  • %WINDIR%\ShellNew\bronstab.exe
which makes upto 42,028 bytes.

Removal tools are available for this from famous companies like Bit defender, Symantec, McAfee etc.


0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog

Followers

Categories

Twitter Delicious Facebook Digg Stumbleupon Favorites More