Worm.Brontok Description

Worm.Brontok is a mass mailing worm that is spread through an email attachment. The subject of the infected email will be either “Fotoku yg Paling Cantik” or “My Best Photo”. The Worm.Brontok’s email text reads:

From: “angelina_ph@[recipient’s domain]” or “jennifer_sh@[recipient’s domain]”
Subject: “Fotoku yg Paling Cantik” or “My Best Photo”
Message text:
“Hi,
Aku lg iseng aja pengen kirim foto ke kamu.
Jangan lupain aku ya !.
Thanks”
or
“Hi,
I want to share my photo with you.
Wishing you all the best.
Regards,”
Attachment name: Photo.zip

Once the Worm.Brontok file is executed it replicates itself to Windows system folder and to other folders such as:

csrss.exe
inetinfo.exe
lsass.exe
services.exe
smss.exe
norBtok.exe
cvt.exe
IDTemplate.exe
3D Animation.scr
A.kotnorB.com
Empty.pif
KANGEN.EXE
winlogon.exe

The Worm.Brontok also changes the registry run section so it may load automatically on subsequent startups. Below are the registry modifications:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus = “%UserProfile%\Application Data\smss.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Bron-Spizaetus = “%Windows%\INF\norBtok.exe”

Worm.Brontok can disable the user’s system registry tools and the command line (cmd.exe) in order to avoid detection and to make manual removal difficult. Worm.Brontok is a malicious worm and should be removed from the users PC immediately.

Type: Worms

Automatic Detection of Worm.Brontok

Worm.Brontok Technical Report

As new Worm.Brontok details are reported by our customers and findings from our Threat Research Center, we will update this section.

The following Worm.Brontok files with its MD5s were created in the system:

Worm.Brontok has typically the following processes in memory:

• EKSPLORASI.EXE
• BRONSTAB.EXE

Worm.Brontok creates the following registry entries:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Tok-cirrhatus

Important Article Disclaimer