Threat Database Worms Worm.Brontok

Worm.Brontok

By GoldSparrow in Worms

Threat Scorecard

Ranking: 2,286
Threat Level: 50 % (Medium)
Infected Computers: 57,172
First Seen: July 24, 2009
Last Seen: July 12, 2024
OS(es) Affected: Windows

Worm.Brontok is a mass mailing worm that is spread through an email attachment. The subject of the infected email will be either "Fotoku yg Paling Cantik" or "My Best Photo". The Worm.Brontok's email text reads:

From: "angelina_ph@[recipient’s domain]" or "jennifer_sh@[recipient’s domain]"

Subject: "Fotoku yg Paling Cantik" or "My Best Photo"

Message text:

"Hi,

Aku lg iseng aja pengen kirim foto ke kamu.

Jangan lupain aku ya !.

Thanks"

or

"Hi,

I want to share my photo with you.

Wishing you all the best.

Regards,"

Attachment name: Photo.zip

Once the Worm.Brontok file is executed it replicates itself to Windows system folder and to other folders such as:

csrss.exe

inetinfo.exe

lsass.exe

services.exe

smss.exe

norBtok.exe

cvt.exe

IDTemplate.exe

3D Animation.scr

A.kotnorB.com

Empty.pif

KANGEN.EXE

winlogon.exe

The Worm.Brontok also changes the registry run section so it may load automatically on subsequent startups. Below are the registry modifications:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus = "%UserProfile%\Application Data\smss.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Bron-Spizaetus = "%Windows%\INF\norBtok.exe"

Worm.Brontok can disable the user's system registry tools and the command line (cmd.exe) in order to avoid detection and to make manual removal difficult. Worm.Brontok is a malicious worm and should be removed from the users PC immediately.

Aliases

15 security vendors flagged this file as malicious.

Anti-Virus Software Detection
TrendMicro WORM_RONTOKBRO.H
Sophos W32/Brontok-DB
Panda W32/Brontok.CX.worm
NOD32 Win32/Brontok.G
Microsoft Worm:Win32/Brontok@mm
Fortinet W32/Rontokbro.H@mm
eTrust-Vet Win32/Robknot.H
DrWeb BackDoor.Generic.2341
Comodo Worm.Win32.Brontok.G
ClamAV Worm.Brontok.Y
BitDefender Worm.Generic.73749
Avast Win32:Rontokbr-H2
Authentium W32/Brontok.D@mm
AntiVir Worm/Rontok.D
AhnLab-V3 Win-Trojan/Xema.variant

SpyHunter Detects & Remove Worm.Brontok

File System Details

Worm.Brontok may create the following file(s):
# File Name MD5 Detections
1. NetMailTmp.bin c943ae4292f2ea5d3a9fea05d9af4039 26,459
2. Bron.tok.A8.em.bin 7b41ac483cfde60a7467a338d8f76175 6,248
3. sempalong.exe 181ac164444c9d56b22507e7f7d258a6 3,454
4. bronstab.exe 14e039f1d469c0a1e05b3a9aea370f41 349
5. sempalong.exe 27cf6bbe068dac970c7f9c7eb5768aaa 233
6. bronstab.exe 24a16f71bad9e8ae83246abea4ac4a66 154
7. sempalong.exe 4c0c85d815a2dc079bb21c7f31950f58 60
8. RakyatKelaparan.exe cddb5bd741c5e40d515ac0fd49c558fa 34
9. sempalong.exe dd751f23e4146922ba02d4eed1e1ad6a 31
10. bronstab.exe 69c0f1dcbee67fe99fbb571b61761f43 30
11. sempalong.exe 0b0f915ac3aae72ce408cf976d91fdf2 30
12. sempalong.exe a6c7b2e3c8db29ccab3baa206329713f 25
13. sempalong.exe 1e1ae4a10fd99320db3c9a9158d6071a 24
14. sempalong.exe 99644a26400105721817196f958c3a17 23
15. sempalong.exe 69d08df1444e33e4d6934f7ab44034bf 22
16. sempalong.exe 66573046fb8f3c7e179b4dbd6fa9ec84 22
17. sempalong.exe b090fdfc4942fc1c9191c48ac537e95f 21
18. sempalong.exe 9a6aedf8ad4514c3be627996845a51c4 16
19. sempalong.exe fa92ffcbfb0b56be12fd6b0b03482cca 12
20. sempalong.exe 7f51a975f282d62526b3477f6c8509b2 9
21. file.exe 6c08bd41f70d51662df04eb4ecd2f9ee 0
22. file.exe 11e1ca436a0389f9518ffa9ffe459912 0
23. file.exe 4bd356e923aa748e4c01832452f7ec5c 0
24. file.exe f930413f494fe63ad01487916c617563 0
25. file.exe e042a3dc5132a3e9dd2be0cbbd9d7345 0
26. file.exe 5aaec9b80e0e8015ea8cede7fc589e6f 0
27. file.exe f144bdfdc94b83440841e91d8a589368 0
28. file.exe b9a894d0f76966512e5472a37777eb8c 0
29. j6235022.exe 3fc2a99453a99947672585715c815032 0
More files

Registry Details

Worm.Brontok may create the following registry entry or registry entries:
File name without path
about.Brontok.A.html
brengkolang.com
BronFoldNetDomList.txt
BronNetDomList.bat
BronNPath0.txt
bronstab.exe
bronstab.exe
Cara Membasmi Brontok.exe
eksplorasi.pif
Kosong.Bron.Tok.txt
Sejarah Pembuat Virus Brontok.exe
WowTumpeh.com
yesbron.com
Regexp file mask
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif
%APPDATA%\Microsoft\Windows\Templates\A.kotnorB.com
%LOCALAPPDATA%\[RANDOM CHARACTERS]bron.tok[RANDOM CHARACTERS].bin
%LOCALAPPDATA%\inetinfo.exe
%LOCALAPPDATA%\JunkAtx.bin
%LOCALAPPDATA%\ListHost[NUMBERS].txt
%LOCALAPPDATA%\lsass.exe
%LOCALAPPDATA%\services.exe
%LOCALAPPDATA%\winlogon.exe
%USERPROFILE%\Local Settings\Application Data\[RANDOM CHARACTERS]bron.tok[RANDOM CHARACTERS].bin
%USERPROFILE%\Local Settings\Application Data\inetinfo.exe
%USERPROFILE%\Local Settings\Application Data\JunkAtx.bin
%UserProfile%\Local Settings\Application Data\ListHost[NUMBERS].txt
%USERPROFILE%\Local Settings\Application Data\lsass.exe
%USERPROFILE%\Local Settings\Application Data\services.exe
%UserProfile%\Local Settings\Application Data\winlogon.exe
%WINDIR%\eksplorasi.exe
%WINDIR%\inf\norBtok.exe
%WINDIR%\KesenjanganSosial.exe
%WINDIR%\ShellNew\bbm-[RANDOM CHARACTERS].exe
%WINDIR%\ShellNew\bronstab.exe
%WINDIR%\ShellNew\RakyatKelaparan.exe
%WINDIR%\ShellNew\sempalong.exe
%WINDIR%\System32\IExplorer.exe
%WINDIR%\System32\shell.exe
%WINDIR%\SysWOW64\IExplorer.exe
%WINDIR%\SysWOW64\shell.exe
Software\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus
Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus
Run keys
Tok-Cirrhatus
Tok-Cirrhatus-1761
Tok-Cirrhatus-1860

Directories

Worm.Brontok may create the following directory or directories:

%LOCALAPPDATA%\Loc.Mail.Bron.Tok
%LOCALAPPDATA%\Ok-SendMail-Bron-tok
%USERPROFILE%\Local Settings\Application Data\Loc.Mail.Bron.Tok
%USERPROFILE%\Local Settings\Application Data\Ok-SendMail-Bron-tok
%WINDIR%\SysWOW64\n4431

Related Posts

Trending

Most Viewed

Loading...