Email-Worm.Win32.Brontok.a

by Atlantis on April 17th, 2012 in Malware Descriptions.

Detect: Email-Worm.Win32.Brontok.a
Platform: Win32
Type: Worm
Size: 45417 bytes
Packer: MEW
Language: VisualBasic
md5: 41bc917a697ab13ecb4c97496300080b
sha1: 3963b429bf098b194c49a83a4360d65b5c56c746

Summary

It is an email worm spreading via the Internet by attaching a copy of its executive file to the infected emails. For mailing, the worm uses addresses found on the infected computer.

Technical Details

Installation

Once launched, the worm copies itself and saves copies as:

%SystemDrive%\Documents and Settings\User\Local Settings\Application Data\br<rnd>on.exe

%SystemDrive%\Documents and Settings\User\Local Settings\Application Data\csrss.exe

%SystemDrive%\Documents and Settings\User\Local Settings\Application Data\inetinfo.exe

%SystemDrive%\Documents and Settings\User\Local Settings\Application Data\lsass.exe

%SystemDrive%\Documents and Settings\User\Local Settings\Application Data\services.exe

%SystemDrive%\Documents and Settings\User\Local Settings\Application Data\smss.exe

%SystemDrive%\Documents and Settings\User\Local Settings\Application Data\svchost.exe

%SystemDrive%\Documents and Settings\User\Local Settings\Application Data\winlogon.exe

%SystemDrive%\Documents and Settings\User\Start Menu\Programs\Startup\Empty.pif

%SystemDrive%\Documents and Settings\User\Templates\<rnd>-NendangBro.com

%WinDir%\KesenjanganSosial.exe

%WinDir%\ShellNew\RakyatKelaparan.exe

%WinDir%\system32\cmd-brontok.exe

%WinDir%\system32\<UserName>'s Setting.scr

Where <rnd> – 4 random digits, and <UserName> – the current use’s name.

It adds the following keys to the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

"Bron-Spizaetus" = "%Windir%\ShellNew\RakyatKelaparan.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

"Tok-Cirrhatus-<rnd>" = "%SystemDrive%\Documents and Settings\User\Local Settings\Application Data\br<rnd>on.exe"

This ensures an automatic run of the worm at each system startup.

In addition, the Trojan creates scheduled tasks with the following names: «At1» and «At2» which run the «%SystemDrive%\Documents and Settings\User\Templates\<rnd>-NendangBro.com» file twice per day.

Spreading Via Email

The worm searches for the email addresses in the Windows address book, as well as in the files with the following extensions:

HTML

HTM

TXT

EML

WAB

ASP

CFM

DOC

XLS

HTT

To send infected email messages, the worm uses the following mail server:

mta237.mail.re***2.ya***o.com

The server did not respond when the description was created.

Attachment

The worm attaches to the email a copy of its original file with one of the following names:

winword.exe

kangen.exe

ccapps.exe

syslove.exe

untukmu.exe

myheart.exe

my heart.exe

jangan dibuka.exe

Email Body

An email body is presented by an HTML page the worm extracts from its body. The page looks as follows:

Upon opening the page, a User gets the following message:

Payload

The worm performs the following actions:

checks for a connection to the Internet by visiting the following sites:

http://www.geocities.com/

http://www.20mbweb.com/News/

modifies values in the following system registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

"NoFolderOptions"="1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"DisableRegistryTools"="1"

This makes a Windows system registry startup and catalog settings modification impossible.

With a 2 second delay, tries to download files using the following URLs:

http://www.kas***s.com/?STOP-CONTENT-PORNOGRAFI.GoToHell

http://www.17ta***n.com/?STOP-CONTENT-PORNOGRAFI.GoToHell

http://www.fajar***b.com/?you=Stupid-AssHole&msg=IT-IS-SO-EASY-TO-BE-BETTER-THAN-YOU

The URLs did not respond when the description was created.

After successful download, the file is saved in the worm work catalog with the following name:

%WorkDir%\JunkAtx.bin

Adds a «pause» string to the «C:\Autoexec.bat» file;

In addition, the Trojan reboots a computer if it finds system windows containing one of the following substrings in their titles:

SECURE

SUPPORT

MASTER

MICROSOFT

VIRUS

HACK

CRACK

LINUX

AVG

GRISOFT

CILLIN

SECURITY

SYMANTEC

ASSOCIATE

VAKSIN

NORTON

NORMAN

PANDA

SOFT

SPAM

BLAH

YOUR

SOME

ASDF

@..@

WWW

VAKSIN

DEVELOP

PROGRAM

SOURCE

NETWORK

UPDATE

TEST

XXX

SMTP

EXAMPLE

CONTOH

INFO@

BILLING@

.ASP

.PHP

.HTM

.EXE

.JS

.VBS

DOMAIN

HIDDEN

DEMO

DEVELOP

FOO@

KOMPUTER

SENIOR

DARK

BLACK

BLEEP

FEEDBACK

IBM.

INTEL.

MACRO

ADOBE

FUCK

RECIPIENT

SERVER

PROXY

ZEND

ZDNET

CNET

DOWNLOAD

HP.

XEROX

CANON

SERVICE

ARCHIEVE

NETSCAPE

MOZILLA

OPERA

NOVELL

NEWS

UPDATE

RESPONSE

OVERTURE

GROUP

GATEWAY

RELAY

ALERT

SEKUR

CISCO

LOTUS

MICRO

TREND

SIEMENS

FUJITSU

NOKIA

W3.

NVIDIA

APACHE

MYSQL

POSTGRE

SUN.

GOOGLE

SPERSKY

ZOMBIE

ADMIN

AVIRA

AVAST

TRUST

ESAVE

ESAFE

PROTECT

ALADDIN

ALERT

BUILDER

DATABASE

AHNLAB

PROLAND

ESCAN

HAURI

NOD32

SYBARI

ANTIGEN

ROBOT

ALWIL

BROWSE

COMPUSE

COMPUTE

SECUN

SPYW

REGIST

FREE

BUG

MATH

LAB

IEEE

KDE

TRACK

INFORMA

FUJI

@MAC

SLACK

REDHA

SUSE

BUNTU

XANDROS

@ABC

@123

LOOKSMART

SYNDICAT

ELEKTRO

ELECTRO

NASA

LUCENT

TELECOM

STUDIO

SIERRA

MUSERNAME

IPTEK

CLICK

SALES

PROMO

.CA.COM

REGISTRY

SYSTEM CONFIGURATION

COMMAND PROMPT

.EXE

SHUT DOWN

SCRIPT HOST

LOG OFF WINDOWS

KILLBOX

TASKKILL

TASK KILL

HIJACK

BLEEPING

SYSINTERNAL

PROCESS EXP

FAJARWEB

REMOVER

CLEANER

GROUP POLICY

Removal Recommendations

Using Task Manager ( How to End a Process with the Task Manager) terminate the Trojan process.

Delete the original Trojan file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).

Delete the following files:

%SystemDrive%\Documents and Settings\User\Local Settings\Application Data\bron.exe