Worm.Brontok
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Ranking: | 2,994 |
Threat Level: | 50 % (Medium) |
Infected Computers: | 57,338 |
First Seen: | July 24, 2009 |
Last Seen: | October 22, 2024 |
OS(es) Affected: | Windows |
Worm.Brontok is a mass mailing worm that is spread through an email attachment. The subject of the infected email will be either "Fotoku yg Paling Cantik" or "My Best Photo". The Worm.Brontok's email text reads:
From: "angelina_ph@[recipient’s domain]" or "jennifer_sh@[recipient’s domain]"
Subject: "Fotoku yg Paling Cantik" or "My Best Photo"
Message text:
"Hi,
Aku lg iseng aja pengen kirim foto ke kamu.
Jangan lupain aku ya !.
Thanks"
or
"Hi,
I want to share my photo with you.
Wishing you all the best.
Regards,"
Attachment name: Photo.zip
Once the Worm.Brontok file is executed it replicates itself to Windows system folder and to other folders such as:
csrss.exe
inetinfo.exe
lsass.exe
services.exe
smss.exe
norBtok.exe
cvt.exe
IDTemplate.exe
3D Animation.scr
A.kotnorB.com
Empty.pif
KANGEN.EXE
winlogon.exe
The Worm.Brontok also changes the registry run section so it may load automatically on subsequent startups. Below are the registry modifications:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus = "%UserProfile%\Application Data\smss.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Bron-Spizaetus = "%Windows%\INF\norBtok.exe"
Worm.Brontok can disable the user's system registry tools and the command line (cmd.exe) in order to avoid detection and to make manual removal difficult. Worm.Brontok is a malicious worm and should be removed from the users PC immediately.
Table of Contents
Aliases
15 security vendors flagged this file as malicious.
Anti-Virus Software | Detection |
---|---|
TrendMicro | WORM_RONTOKBRO.H |
Sophos | W32/Brontok-DB |
Panda | W32/Brontok.CX.worm |
NOD32 | Win32/Brontok.G |
Microsoft | Worm:Win32/Brontok@mm |
Fortinet | W32/Rontokbro.H@mm |
eTrust-Vet | Win32/Robknot.H |
DrWeb | BackDoor.Generic.2341 |
Comodo | Worm.Win32.Brontok.G |
ClamAV | Worm.Brontok.Y |
BitDefender | Worm.Generic.73749 |
Avast | Win32:Rontokbr-H2 |
Authentium | W32/Brontok.D@mm |
AntiVir | Worm/Rontok.D |
AhnLab-V3 | Win-Trojan/Xema.variant |
SpyHunter Detects & Remove Worm.Brontok
File System Details
# | File Name | MD5 |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
---|---|---|---|
1. | NetMailTmp.bin | c943ae4292f2ea5d3a9fea05d9af4039 | 26,522 |
2. | Bron.tok.A8.em.bin | 7b41ac483cfde60a7467a338d8f76175 | 6,248 |
3. | sempalong.exe | 181ac164444c9d56b22507e7f7d258a6 | 3,454 |
4. | bronstab.exe | 14e039f1d469c0a1e05b3a9aea370f41 | 349 |
5. | sempalong.exe | 27cf6bbe068dac970c7f9c7eb5768aaa | 233 |
6. | bronstab.exe | 24a16f71bad9e8ae83246abea4ac4a66 | 154 |
7. | sempalong.exe | 4c0c85d815a2dc079bb21c7f31950f58 | 60 |
8. | RakyatKelaparan.exe | cddb5bd741c5e40d515ac0fd49c558fa | 34 |
9. | sempalong.exe | dd751f23e4146922ba02d4eed1e1ad6a | 31 |
10. | bronstab.exe | 69c0f1dcbee67fe99fbb571b61761f43 | 30 |
11. | sempalong.exe | 0b0f915ac3aae72ce408cf976d91fdf2 | 30 |
12. | sempalong.exe | a6c7b2e3c8db29ccab3baa206329713f | 25 |
13. | sempalong.exe | 1e1ae4a10fd99320db3c9a9158d6071a | 24 |
14. | sempalong.exe | 99644a26400105721817196f958c3a17 | 23 |
15. | sempalong.exe | 69d08df1444e33e4d6934f7ab44034bf | 22 |
16. | sempalong.exe | 66573046fb8f3c7e179b4dbd6fa9ec84 | 22 |
17. | sempalong.exe | b090fdfc4942fc1c9191c48ac537e95f | 21 |
18. | sempalong.exe | 9a6aedf8ad4514c3be627996845a51c4 | 16 |
19. | sempalong.exe | fa92ffcbfb0b56be12fd6b0b03482cca | 12 |
20. | sempalong.exe | 7f51a975f282d62526b3477f6c8509b2 | 9 |
21. | file.exe | 6c08bd41f70d51662df04eb4ecd2f9ee | 0 |
22. | file.exe | 11e1ca436a0389f9518ffa9ffe459912 | 0 |
23. | file.exe | 4bd356e923aa748e4c01832452f7ec5c | 0 |
24. | file.exe | f930413f494fe63ad01487916c617563 | 0 |
25. | file.exe | e042a3dc5132a3e9dd2be0cbbd9d7345 | 0 |
26. | file.exe | 5aaec9b80e0e8015ea8cede7fc589e6f | 0 |
27. | file.exe | f144bdfdc94b83440841e91d8a589368 | 0 |
28. | file.exe | b9a894d0f76966512e5472a37777eb8c | 0 |
29. | j6235022.exe | 3fc2a99453a99947672585715c815032 | 0 |
Registry Details
Directories
Worm.Brontok may create the following directory or directories:
%LOCALAPPDATA%\Loc.Mail.Bron.Tok |
%LOCALAPPDATA%\Ok-SendMail-Bron-tok |
%USERPROFILE%\Local Settings\Application Data\Loc.Mail.Bron.Tok |
%USERPROFILE%\Local Settings\Application Data\Ok-SendMail-Bron-tok |
%WINDIR%\SysWOW64\n4431 |