Worm.Brontok

By GoldSparrow in Worms

Translate To:

Threat Scorecard

Ranking:	2,086
Threat Level:	50 % (Medium)
Infected Computers:	57,872

First Seen:	July 24, 2009
Last Seen:	May 20, 2025
OS(es) Affected:	Windows

Worm.Brontok is a mass mailing worm that is spread through an email attachment. The subject of the infected email will be either "Fotoku yg Paling Cantik" or "My Best Photo". The Worm.Brontok's email text reads:

From: "angelina_ph@[recipientâ€™s domain]" or "jennifer_sh@[recipientâ€™s domain]"

Subject: "Fotoku yg Paling Cantik" or "My Best Photo"

Message text:

"Hi,

Aku lg iseng aja pengen kirim foto ke kamu.

Jangan lupain aku ya !.

Thanks"

"Hi,

I want to share my photo with you.

Wishing you all the best.

Regards,"

Attachment name: Photo.zip

Once the Worm.Brontok file is executed it replicates itself to Windows system folder and to other folders such as:

csrss.exe

inetinfo.exe

lsass.exe

services.exe

smss.exe

norBtok.exe

cvt.exe

IDTemplate.exe

3D Animation.scr

A.kotnorB.com

Empty.pif

KANGEN.EXE

winlogon.exe

The Worm.Brontok also changes the registry run section so it may load automatically on subsequent startups. Below are the registry modifications:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus = "%UserProfile%\Application Data\smss.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Bron-Spizaetus = "%Windows%\INF\norBtok.exe"

Worm.Brontok can disable the user's system registry tools and the command line (cmd.exe) in order to avoid detection and to make manual removal difficult. Worm.Brontok is a malicious worm and should be removed from the users PC immediately.

Table of Contents

Aliases

15 security vendors flagged this file as malicious.

Anti-Virus Software	Detection
TrendMicro	WORM_RONTOKBRO.H
Sophos	W32/Brontok-DB
Panda	W32/Brontok.CX.worm
NOD32	Win32/Brontok.G
Microsoft	Worm:Win32/Brontok@mm
Fortinet	W32/Rontokbro.H@mm
eTrust-Vet	Win32/Robknot.H
DrWeb	BackDoor.Generic.2341
Comodo	Worm.Win32.Brontok.G
ClamAV	Worm.Brontok.Y
BitDefender	Worm.Generic.73749
Avast	Win32:Rontokbr-H2
Authentium	W32/Brontok.D@mm
AntiVir	Worm/Rontok.D
AhnLab-V3	Win-Trojan/Xema.variant

SpyHunter Detects & Remove Worm.Brontok

File System Details

Worm.Brontok may create the following file(s):

Expand All | Collapse All

#	File Name	MD5	Detections Detections: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
1.	NetMailTmp.bin	c943ae4292f2ea5d3a9fea05d9af4039	26,748
Name: NetMailTmp.bin MD5: c943ae4292f2ea5d3a9fea05d9af4039 Size: 51B (51 bytes) Detections: 26,748 Type: Binary File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Local\NetMailTmp.bin Group: Malware file Last Updated: May 20, 2025
2.	Bron.tok.A8.em.bin	7b41ac483cfde60a7467a338d8f76175	6,248
Name: Bron.tok.A8.em.bin MD5: 7b41ac483cfde60a7467a338d8f76175 Size: 6.75 KB (6751 bytes) Detections: 6,248 Type: Binary File Path: %SystemDrive%\Documents and Settings\sona\Local Settings\Application Data Group: Malware file Last Updated: July 21, 2016
3.	A.kotnorB.com	11c8a4a807073ccf7734288293c50407	205
Name: A.kotnorB.com MD5: 11c8a4a807073ccf7734288293c50407 Size: 81.92 KB (81920 bytes) Detections: 205 Type: Command, executable file Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Templates\A.kotnorB.com Group: Malware file Last Updated: April 5, 2025
4.	bronstab.exe	24a16f71bad9e8ae83246abea4ac4a66	154
Name: bronstab.exe MD5: 24a16f71bad9e8ae83246abea4ac4a66 Size: 127.48 KB (127488 bytes) Detections: 154 Type: Executable File Path: %WINDIR%\ShellNew Group: Malware file Last Updated: November 17, 2016
5.	sempalong.exe	4c0c85d815a2dc079bb21c7f31950f58	60
Name: sempalong.exe MD5: 4c0c85d815a2dc079bb21c7f31950f58 Size: 123.39 KB (123392 bytes) Detections: 60 Type: Executable File Path: %WINDIR%\ShellNew Group: Malware file Last Updated: April 13, 2017
6.	RakyatKelaparan.exe	cddb5bd741c5e40d515ac0fd49c558fa	34
Name: RakyatKelaparan.exe MD5: cddb5bd741c5e40d515ac0fd49c558fa Size: 126.97 KB (126976 bytes) Detections: 34 Type: Executable File Path: %WINDIR%\ShellNew Group: Malware file Last Updated: November 17, 2016
7.	smss.exe	0d02610d508d6db137585c40596e9b19	32
Name: smss.exe MD5: 0d02610d508d6db137585c40596e9b19 Size: 1.22 MB (1228800 bytes) Detections: 32 Type: Executable File Path: %LOCALAPPDATA% Group: Malware file Last Updated: August 6, 2016
8.	winlogon.exe	a575dd2441173753bb7a0c058d8b1aef	0
Name: winlogon.exe MD5: a575dd2441173753bb7a0c058d8b1aef Size: 111.61 KB (111616 bytes) Detections: 0 Type: Executable File Group: Malware file Last Updated: December 11, 2009
9.	csrss.exe	9488b369de58ae7abb9d2a37c8d67745	0
Name: csrss.exe MD5: 9488b369de58ae7abb9d2a37c8d67745 Size: 31.23 KB (31232 bytes) Detections: 0 Type: Executable File Group: Malware file Last Updated: January 26, 2010
10.	SERVICES.exe	d32e51ada4d466ae9ff7fbf70962913c	0
Name: SERVICES.exe MD5: d32e51ada4d466ae9ff7fbf70962913c Size: 24.57 KB (24576 bytes) Detections: 0 Type: Executable File Group: Malware file Last Updated: March 8, 2010
11.	lsass.exe	08f906036eba5d81efad7b1a932b5d56	0
Name: lsass.exe MD5: 08f906036eba5d81efad7b1a932b5d56 Size: 115.71 KB (115712 bytes) Detections: 0 Type: Executable File Group: Malware file Last Updated: April 15, 2010
12.	file.exe	b9a894d0f76966512e5472a37777eb8c	0
Name: file.exe MD5: b9a894d0f76966512e5472a37777eb8c Size: 272.12 KB (272128 bytes) Detections: 0 Type: Executable File Group: Malware file
13.	j6235022.exe	3fc2a99453a99947672585715c815032	0
Name: j6235022.exe MD5: 3fc2a99453a99947672585715c815032 Size: 64 KB (64000 bytes) Detections: 0 Type: Executable File Path: %WINDIR%\j6235022.exe Group: Malware file Last Updated: June 26, 2020

More files

Registry Details

Worm.Brontok may create the following registry entry or registry entries:

File name without path

about.Brontok.A.html

brengkolang.com

BronFoldNetDomList.txt

BronNetDomList.bat

BronNPath0.txt

bronstab.exe

Cara Membasmi Brontok.exe

eksplorasi.pif

Kosong.Bron.Tok.txt

Sejarah Pembuat Virus Brontok.exe

WowTumpeh.com

yesbron.com

Regexp file mask

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif

%APPDATA%\Microsoft\Windows\Templates\A.kotnorB.com

%LOCALAPPDATA%\[RANDOM CHARACTERS]bron.tok[RANDOM CHARACTERS].bin

%LOCALAPPDATA%\inetinfo.exe

%LOCALAPPDATA%\JunkAtx.bin

%LOCALAPPDATA%\ListHost[NUMBERS].txt

%LOCALAPPDATA%\lsass.exe

%LOCALAPPDATA%\services.exe

%LOCALAPPDATA%\winlogon.exe

%USERPROFILE%\Local Settings\Application Data\[RANDOM CHARACTERS]bron.tok[RANDOM CHARACTERS].bin

%USERPROFILE%\Local Settings\Application Data\inetinfo.exe

%USERPROFILE%\Local Settings\Application Data\JunkAtx.bin

%UserProfile%\Local Settings\Application Data\ListHost[NUMBERS].txt

%USERPROFILE%\Local Settings\Application Data\lsass.exe

%USERPROFILE%\Local Settings\Application Data\services.exe

%UserProfile%\Local Settings\Application Data\winlogon.exe

%WINDIR%\eksplorasi.exe

%WINDIR%\inf\norBtok.exe

%WINDIR%\KesenjanganSosial.exe

%WINDIR%\ShellNew\bbm-[RANDOM CHARACTERS].exe

%WINDIR%\ShellNew\bronstab.exe

%WINDIR%\ShellNew\RakyatKelaparan.exe

%WINDIR%\ShellNew\sempalong.exe

%WINDIR%\System32\IExplorer.exe

%WINDIR%\System32\shell.exe

%WINDIR%\SysWOW64\IExplorer.exe

%WINDIR%\SysWOW64\shell.exe

HKEY..\..\..\..{RegistryKeys}

Software\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus

Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus

Run keys

Tok-Cirrhatus

Tok-Cirrhatus-1761

Tok-Cirrhatus-1860

Directories

Worm.Brontok may create the following directory or directories:

%LOCALAPPDATA%\Loc.Mail.Bron.Tok

%LOCALAPPDATA%\Ok-SendMail-Bron-tok

%USERPROFILE%\Local Settings\Application Data\Loc.Mail.Bron.Tok

%USERPROFILE%\Local Settings\Application Data\Ok-SendMail-Bron-tok

%WINDIR%\SysWOW64\n4431

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

Worm.Brontok

Threat Scorecard

EnigmaSoft Threat Scorecard

Aliases

SpyHunter Detects & Remove Worm.Brontok

File System Details

Registry Details

Directories

Submit Comment

Related Posts

Worm.Brontok.L@mm

Worm.Brontok.DC

Worm.Brontok.B@mm

Worm.Brontok.N@mm

Worm.Brontok.BJ

Worm.Brontok.AK@mm

Trending

Penadclub.com

PDFast

Analdin.com

Most Viewed

How To Fix 'Printer Driver is Unavailable' Error

Discord Is Stuck on Gray Screen

Discord Shows Black Screen when Sharing Screen