Internet threat level: 1
Home→Descriptions→HackTool.Win32.Brontok.a
HackTool.Win32.Brontok.a
| Detected | Aug 06 2007 13:24 GMT |
| Released | Aug 06 2007 13:24 GMT |
| Published | Feb 01 2006 16:56 GMT |
Technical Details
This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim machine.
The worm itself is a Windows PE EXE file approximately 41KB in size.
Installation
When installing, the worm copies itself to the directories listed below, under the following names:
%Documents and Settings%\User\Local Settings\Application Data\inetinfo.exe
%Documents and Settings%\User\Local Settings\Application Data\lsass.exe
%Documents and Settings%\User\Local Settings\Application Data\services.exe
%Documents and Settings%\User\Local Settings\Application Data\smss.exe
%Documents and Settings%\User\Local Settings\Application Data\winlogon.exe
%Documents and Settings%\User\Start Menu\Programs\Startup\Empty.pif
%Documents and Settings%\User\Templates\WowTumpeh.com
%System%\<user name>'s Setting.scr
%Windir%\eksplorasi.pif
%Windir%\ShellNew\bronstab.exe
The worm then registers itself in the system registry, ensuring that the worm file will be launched each time Windows is rebooted on the victim machine:
"Bron-Spizaetus"="%Windir%\ShellNew\bronstab.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus"="%Documents and Settings%\User\Local Settings\Application Data\smss.exe"
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe %Windir%\eksplorasi.pif"
The worm also modifies the following system registry records, which will block some Windows applications and properties (e.g. system registry, file properties)
"NoFolderOptions"="1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\explorer\advanced]
"Hidden"="0"
"ShowSuperHidden"="0"
"HideFileExt"="1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"="1"
"DisableCMD"="0"
The worm creates the following folder:
XX: two random numbers.
Propagation via email
The worm harvests email addresses from files with the following extensions:
asp cfm csv doc eml html php txt wab
It does not harvest addresses which contain the following strings:
ADMIN AHNLAB ALADDIN ALERT ALWIL ANTIGEN ASSOCIATE AVAST AVIRA BILLING@ BUILDER CILLIN CONTOH CRACK DATABASE DEVELOP ESAFE ESAVE ESCAN EXAMPLE GRISOFT HAURI INFO@ LINUX MASTER MICROSOFT NETWORK NOD32 NORMAN NORTON PANDA PROGRAM PROLAND PROTECT ROBOT SECURITY SOURCE SYBARI SYMANTEC TRUST UPDATE VAKSIN VAKSIN VIRUS
When sending infected messages, it establishes a direct connection to the recipient's SMTP engine.
Infected messages
Message subject
<empty field>
Attachment names
Kangen.exe
Other
If the worm finds an open window with the following strings in the name, it will reboot the victim machine:
.exe Registry
HackTool programs are used to create new users in the list of permitted system visitors, and to delete information from system logs in order to hide the malicious user’s presence on the system. These programs are also used to analyze and collect network packets to carry out specific malicious actions.
Malicious users employ HackTool programs when setting up attacks on local or remote computers.
HackTool.
- IM-Flooder.
Win32. Brontok. a (Kaspersky Lab) - Trojan.
Win32. Brontok. a (Kaspersky Lab) - Constructor.
Win32. Brontok. a (Kaspersky Lab) - IM-Worm.
Win32. Brontok. a (Kaspersky Lab) - Email-Worm.
Win32. Brontok. a (Kaspersky Lab) - Virus:
W32/Rontokbro@MM!e (McAfee) - Worm.
Brontok. V (ClamAV) - Win32:
Brontok-B [Wrm] (AVAST) - IM-Worm.
Win32. Sumom (Ikarus) - I-Worm/Brontok.
OU (AVG) - WORM/Korbo.
A (AVIRA) - W32/Rontokbro (Norman)
- Trojan.
Win32. Mnless. dyr (Rising) - Email-Worm.
Win32. Brontok. a [AVP] (FSecure) - Trojan.
Win32. Generic. pak!cobra (Sunbelt)
© 1997-2010 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.