English

Log in

Search

The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service.

Internet threat level: 1

Follow us on

Home→Descriptions→Email-Worm.Win32.Brontok.a

Email-Worm.Win32.Brontok.a

Detected	Feb 01 2006 16:56 GMT
Released	Aug 06 2007 12:11 GMT
Published	Feb 01 2006 16:56 GMT

Technical Details

This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim machine.

The worm itself is a Windows PE EXE file approximately 41KB in size.

Installation

When installing, the worm copies itself to the directories listed below, under the following names:

%Documents and Settings%\User\Local Settings\Application Data\csrss.exe
%Documents and Settings%\User\Local Settings\Application Data\inetinfo.exe
%Documents and Settings%\User\Local Settings\Application Data\lsass.exe
%Documents and Settings%\User\Local Settings\Application Data\services.exe
%Documents and Settings%\User\Local Settings\Application Data\smss.exe
%Documents and Settings%\User\Local Settings\Application Data\winlogon.exe
%Documents and Settings%\User\Start Menu\Programs\Startup\Empty.pif
%Documents and Settings%\User\Templates\WowTumpeh.com
%System%\<user name>'s Setting.scr
%Windir%\eksplorasi.pif
%Windir%\ShellNew\bronstab.exe

The worm then registers itself in the system registry, ensuring that the worm file will be launched each time Windows is rebooted on the victim machine:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Bron-Spizaetus"="%Windir%\ShellNew\bronstab.exe"

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus"="%Documents and Settings%\User\Local Settings\Application Data\smss.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe %Windir%\eksplorasi.pif"

The worm also modifies the following system registry records, which will block some Windows applications and properties (e.g. system registry, file properties)

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions"="1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\explorer\advanced]
"Hidden"="0"
"ShowSuperHidden"="0"
"HideFileExt"="1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"="1"
"DisableCMD"="0"

The worm creates the following folder:

%Documents and Settings%\User\Local Settings\Application Data\Bron.tok-XX

XX: two random numbers.

Propagation via email

The worm harvests email addresses from files with the following extensions:

asp
cfm
csv
doc
eml
html
php
txt
wab

It does not harvest addresses which contain the following strings:

ADMIN
AHNLAB
ALADDIN
ALERT
ALWIL
ANTIGEN
ASSOCIATE
AVAST
AVIRA
BILLING@
BUILDER
CILLIN
CONTOH
CRACK
DATABASE
DEVELOP
ESAFE
ESAVE
ESCAN
EXAMPLE
GRISOFT
HAURI
INFO@
LINUX
MASTER
MICROSOFT
NETWORK
NOD32
NORMAN
NORTON
PANDA
PROGRAM
PROLAND
PROTECT
ROBOT
SECURITY
SOURCE
SYBARI
SYMANTEC
TRUST
UPDATE
VAKSIN
VAKSIN
VIRUS

When sending infected messages, it establishes a direct connection to the recipient's SMTP engine.

Infected messages

Message subject

<empty field>

Attachment names

Kangen.exe

Other

If the worm finds an open window with the following strings in the name, it will reboot the victim machine:

.exe
Registry

Print

Share

Malicious programs

Viruses and worms

Email-Worm

Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).

In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.

Email-Worms use a range of methods to send infected emails. The most common are:

using a direct connection to a SMTP server using the email directory built into the worm’s code
using MS Outlook services
using Windows MAPI functions.

Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:

the address book in MS Outlook
a WAB address database
.txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)

Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.

Other versions

Email-Worm.Win32.Brontok.q

Aliases

Email-Worm.Win32.Brontok.a (Kaspersky Lab) is also known as:

HackTool.Win32.Brontok.a (Kaspersky Lab)
IM-Flooder.Win32.Brontok.a (Kaspersky Lab)
Trojan.Win32.Brontok.a (Kaspersky Lab)
Constructor.Win32.Brontok.a (Kaspersky Lab)
IM-Worm.Win32.Brontok.a (Kaspersky Lab)
Virus: W32/Rontokbro.gen@MM (McAfee)
W32/Brontok-BZ (Sophos)
Worm.Brontok.AF (ClamAV)
Malicious Packer (Panda)
W32/Broktok.GC@mm (FPROT)
Worm:Win32/Brontok.L@mm (MS(OneCare))
Win32.HLLM.Generic.440 (DrWeb)
Win32/Brontok worm (Nod32)
Win32.Brontok.MO (BitDef7)
I-Worm.Brontok.CU (VirusBuster)
Win32:Brontok-AA [Wrm] (AVAST)
Email-Worm.Win32.Brontok (Ikarus)
I-Worm/Brontok.EE (AVG)
W32.Rontokbro@mm (NAV)
NseCheckFile2() returned 0x00010018 (Norman)
Worm.Mail.Brontok.kx (Rising)
Email-Worm:W32/Brontok.AS [FSE] (FSecure)
I-Worm.Brontok.CU (VirusBusterBeta)