English

Log in

Search

The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service.

Internet threat level: 1

Read us on

Home→Descriptions→Email-Worm.Win32.Brontok.q

Email-Worm.Win32.Brontok.q

Detected	Oct 11 2006 12:49 GMT
Released	Aug 21 2007 11:52 GMT
Published	Oct 11 2006 12:49 GMT

Technical Details
Payload

Technical Details

This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim machine.

The worm itself is a Windows PE EXE file written in Visual Basic. The size of the infected file can vary significantly. The functionality described below is characteristic of the most common variants of this worm.

Installation

When the infected file is first launched, the user will see a Windows Explorer window, with an open 'My Pictures' folder.

When installing, the worm modifies the following keys of the system registry, disabling system registry tools, the command line, and displaying files and folders in Windows Explorer.

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"="1"
"DisableCMD"="0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"="0"
"HideFileExt"="1"
"ShowSuperHidden"="0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions"="1"

For example, the following message will be displayed when the registry editor is launched:

The worm then gets a path to Application Data for the current user (%UserProfile%\Local Settings\Application Data) and copies its body to this directory under the following names:

%UserProfile%\Local Settings\Application Data\br<random number>on.exe
%UserProfile%\Local Settings\Application Data\csrss.exe
%UserProfile%\Local Settings\Application Data\inetinfo.exe
%UserProfile%\Local Settings\Application Data\lsass.exe
%UserProfile%\Local Settings\Application Data\services.exe
%UserProfile%\Local Settings\Application Data\smss.exe
%UserProfile%\Local Settings\Application Data\svchost.exe
%UserProfile%\Local Settings\Application Data\winlogon.exe

A text file called Kosong.Bron.Tok.txt (51 bytes in size) is also created in this directory. The file has the following contents:

Brontok.A
By: HVM31
-- JowoBot #VM Community --

The worm also copies its body to the Windows root directory (%WinDir%) under the following name:

%WinDir%\sembako-<random symbols>.exe

and to the ShellNew subdirectory under a name generated as follows: bbm-<random symbols>.exe:

%WinDir%\ShellNew\bbm-<random symbols>.exe

and to the Windows system directory under the following names:

%System%\DXBLBO.exe
%System%\cmd-bro-<random symbols>.exe
%System%\%UserName%'s Setting.scr

The worm also copies itself to the Start menu Autorun directory as Empty.pif:

%UserProfile%\%Autorun%\Empty.pif

and to the Document Template subdirectory:

%UserProfile%\Templates\<random number>-NendangBro.com

and to the My Pictures directory of the current user:

%MyPictures%\Mypictures.exe

An HTML page called about.Brontok.A.html is also created in this directory:

When this page is viewed using the browser, the following message is displayed:

This page contains the contents of the email message which the worm sends to email addresses harvested from the victim machine.

The copies of the worm will then be registered in the system registry to ensure that they are launched automatically:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Bron-Spizaetus"=""
"Bron-Spizaetus-<random symbols>"="%WinDir%\ShellNew\bbm-<random symbols>.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus"=""
"Tok-Cirrhatus-<random number>"="%UserProfile%\Local Settings\Application Data\br<random number>on .exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe "%WinDir%\sembako-<random symbols>.exe""

[HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell"="cmd-bro-<random symbols>.exe"

Once installed, the worm creates a file called sistem.sys in the Windows system directory. This file contains the date and time the worm was installed to the victim machine in the following format: mmddhhmm, where mm stands for the month, dd for the data, hh for the hour, and mm for the minute.

Propagation via email

The worm harvests addresses from the MS Windows address books and from files with the following extensions:

ASP
CFM
CSV
DOC
EML
HTM
HTML
PHP
TXT
WAB

All the harvested addresses are saved to %AppData%\Loc.Mail.Bron.Tok as files with email address names, an .ini extension and the following text:

Brontok.A
By: HVM31
-- JowoBot #VM Community –

A directory called Ok-SendMail-Bron-tok is created, and the addresses which messages are sent to are saved to this file.

When sending infected messages the worm uses its own SMTP engine.

Infected messages

Attachment name (chosen from the list below):

ccapps.exe
jangan dibuka.exe
kangen.exe
my heart.exe
myheart.exe
syslove.exe
untukmu.exe
winword.exe

Message text:

The HTML page shown above acts as the text of infected messages.

Payload

The worm checks the header of the open window, and if one of the following strings is present in the header, it will reboot the system:

..
.@
@.
.ASP
.EXE
.HTM
.JS
.PHP
ADMIN
ADOBE
AHNLAB
ALADDIN
ALERT
ALWIL
ANTIGEN
APACHE
APPLICATION
ARCHIEVE
ASDF
ASSOCIATE
AVAST
AVG
AVIRA
BILLING@
BLACK
BLAH
BLEEP
BUILDER
CANON
CENTER
CILLIN
CISCO
CMD.
CNET
COMMAND
COMMAND PROMPT
CONTOH
CONTROL
CRACK
DARK
DATA
DATABASE
DEMO
DETIK
DEVELOP
DOMAIN
DOWNLOAD
ESAFE
ESAVE
ESCAN
EXAMPLE
FEEDBACK
FIREWALL
FOO@
FUCK
FUJITSU
GATEWAY
GOOGLE
GRISOFT
GROUP
HACK
HAURI
HIDDEN
HP.
IBM.
INFO@
INTEL.
KOMPUTER
LINUX
LOG OFF WINDOWS
LOTUS
MACRO
MALWARE
MASTER
MCAFEE
MICRO
MICROSOFT
MOZILLA
MYSQL
NETSCAPE
NETWORK
NEWS
NOD32
NOKIA
NORMAN
NORTON
NOVELL
NVIDIA
OPERA
OVERTURE
PANDA
PATCH
POSTGRE
PROGRAM
PROLAND
PROMPT
PROTECT
PROXY
RECIPIENT
REGISTRY
RELAY
RESPONSE
ROBOT
SCAN
SCRIPT HOST
SEARCH R
SECURE
SECURITY
SEKUR
SENIOR
SERVER
SERVICE
SHUT DOWN
SIEMENS
SMTP
SOFT
SOME
SOPHOS
SOURCE
SPAM
SPERSKY
SUN.
SUPPORT
SYBARI
SYMANTEC
SYSTEM CONFIGURATION
TEST
TREND
TRUST
UPDATE
UTILITY
VAKSIN
VIRUS
W3.
WINDOWS SECURITY.VBS
WWW
XEROX
XXX
YOUR
ZDNET
ZEND
ZOMBIE

The worm also modifies the contents of autoexec.bat in the C: root directory, adding "pause" to it.

Print

Share

Malicious programs

Viruses and worms

Email-Worm

Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).

In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.

Email-Worms use a range of methods to send infected emails. The most common are:

using a direct connection to a SMTP server using the email directory built into the worm’s code
using MS Outlook services
using Windows MAPI functions.

Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:

the address book in MS Outlook
a WAB address database
.txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)

Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.

Other versions

Email-Worm.Win32.Brontok.a

Aliases

Email-Worm.Win32.Brontok.q (Kaspersky Lab) is also known as:

Worm:Win32/Brontok.R@mm (MS(OneCare))
I-Worm.Brontok!5VTBFMXHQsM (VirusBuster)
Email-Worm.Win32.Brontok (Ikarus)
Email-Worm.Win32.Brontok.ik (v) (Sunbelt)
I-Worm.Brontok!5VTBFMXHQsM (VirusBusterBeta)
W32/Brontok.C@mm (Fortinet)