Tools
Email-Worm:W32/Brontok.N
Summary
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Additional Details
Email-Worm:W32/Brontok.N is a complex e-mail worm that also disables anti-virus software, creates multiple copies of itself on a local hard disk, and takes measures to make its removal difficult.
Brontok.N was found at the end of March 2006.
Installation
After the worm's file is started, it copies itself with different names to different folders on a local hard drive. The file names can be semi-randomly generated or they can be any of the following:
- csrss.exe
- inetinfo.exe
- lsass.exe
- services.exe
- smss.exe
- winlogon.exe
Some of the worm's files have hidden, system, and read-only attributes. The worm can create its files with COM, EXE, and PIF extensions. Brontok worm creates multiple launch points for the copied files. Those include startup Registry keys as well as scheduled jobs. For example:
- Status ID Day Time Command Line
-------------------------------------------------------------------------------
1 Each M T W Th F S Su 5:08 PM "C:\Documents and Settings\User\Local Settings\Application Data\jalak-931976415-bali.com"
2 Each M T W Th F S Su 11:03 AM "C:\Documents and Settings\User\Local Settings\Application Data\jalak-931976415-bali.com"
Additionally, the worm creates a few text files on a local hard disk. The file named baca bro !!!.txt that is created in the root of the system drive has the following text:
- BRONTOK.C[22]
Sedikit Jawaban u/ Membungkam Mulut Sesumbar 'MEREKA'.
Nobron = Satria Dungu = Nothing !!!
Romdil = Tukang Jiplak = Nothing !!!
Nobron & Romdil -->> Kicked by The Amazing Brontok
[ By JowoBot ]
The c.bron.tok.txt file contains the following text:
- Brontok.C
- By:JowoBot
The worm keeps several copies of itself in memory.
Propagation
The worm sends messages with the following subjects:
- Fotoku yg Paling Cantik
- My Best Photo
The message body text can be one of the following:
- Hi,
Aku lg iseng aja pengen kirim foto ke kamu.
Jangan lupain aku ya !.
Thanks, - Hi,
I want to share my photo with you.
Wishing you all the best.
Regards,
The attachment name is:
- photo.zip
To collect e-mail addresses to spread itself, the worm looks on drives from C: to Z for address in files with the following extensions:
- .asp
- .bat
- .cfm
- .com
- .com
- .csv
- .doc
- .eml
- .exe
- .htm
- .html
- .php
- .pif
- .ppt
- .scr
- .txt
- .wab
- .xls
The discovered addresses are checked against a rather large list of strings. If part of a discovered e-mail address matches an entry in that list, that e-mail address is discarded.
The worm creates folders named Spread.Mail.Bro and Spread.Sent.Bro in one of its hidden subfolders. The first folder contains the list of e-mail addresses that the worm harvested from the infected computer. Each e-mail address is represented by a file that has the same text as the c.bron.tok.txt file (see above).
When the worm sends an e-mail to an address, the corresponding file is moved to the second folder. This is done to avoid sending the worm to the same address multiple times.
Payload
In addition to its propagation efforts, the worm has a rather old-fashioned effect. It can show the following texts in the command prompt window:
The effect is shown after the worm terminates applications that have the following text strings in their window titles:
- ahnlab
- alwil
- anti
- avg
- avira
- b.e
- baca bro !!!
- bitdef
- BROWNIES
- bugil
- cewe
- cillin
- CLEANER
- cmd.exe
- command prompt
- commander
- computer management
- ertanto
- folder option
- group policy
- hijack
- kaspersky
- killbox
- killer
- mcafee
- movzx
- naked
- nod32
- norman
- norton
- pcmedia
- pc-media
- peid
- porn
- PROCESS EXP
- registry
- REMOVER
- robknot
- rontok
- rontox
- scheduled task
- sex
- symantec
- SYSINTERNAL
- system configuration
- task manager
- task view
- telanjang
- trendmicro
- trojan
- virus
- washer
- windows script
- wintask
- worm
The worm disables Task Manager, Registry Editor, and terminates applications that have the following text strings in their window titles:
- ahnlab
- aladdin
- Alicia
- Anti
- ash
- ashmaisv
- aswupdsv
- avast
- avg
- bitdef
- ccapp
- ccapps
- cclaw
- cillin
- ctfmon
- Dian
- diary
- dkernel
- foto
- grisoft
- hijack
- iexplorer
- kangen
- kaspersky
- kill
- lexplorer
- machine
- Mariana
- mcaf
- mcv
- movzx
- mspatch
- nipsvc
- njeeves
- nod32
- nopdb
- norman
- norton
- nvcoas
- opscan
- panda
- peid
- poproxy
- remove
- riyani
- Romantic
- rontok
- rontox
- services.com
- siti
- sstray
- symantec
- sysinter
- syslove
- systray
- trend
- tskmgr
- untukmu
- update
- virus
- vptray
- washer
- wscript
- xpshare
- zlh
The worm modifies Windows HOSTS file to block access to the following domains:
- 17tahun.com
- 17tahun.net
- 17tahun.org
- ae.trendmicro-europe.com
- ae.trendmicro-europe.net
- ae.trendmicro-europe.org
- antivirus.com
- anti-virus.com
- antivirus.net
- anti-virus.net
- antivirus.org
- anti-virus.org
- backup.grisoft.com
- backup.grisoft.net
- backup.grisoft.org
- bhs.com
- bhs.net
- bhs.org
- blog.compactbyte.com
- blog.compactbyte.net
- blog.compactbyte.org
- blogs.compactbyte.com
- blogs.compactbyte.net
- blogs.compactbyte.org
- ca.com
- ca.net
- ca.org
- castlecops.com
- castlecops.net
- castlecops.org
- cheyenne.com
- cheyenne.net
- cheyenne.org
- compactbyte.com
- compactbyte.net
- compactbyte.org
- datafellows.com
- datafellows.net
- datafellows.org
- download.mcafee.com
- download.mcafee.net
- download.mcafee.org
- downloads1.kaspersky-labs.com
- downloads1.kaspersky-labs.net
- downloads1.kaspersky-labs.org
- downloads2.kaspersky-labs.com
- downloads2.kaspersky-labs.net
- downloads2.kaspersky-labs.org
- downloads3.kaspersky-labs.com
- downloads3.kaspersky-labs.net
- downloads3.kaspersky-labs.org
- downloads4.kaspersky-labs.com
- downloads4.kaspersky-labs.net
- downloads4.kaspersky-labs.org
- esafe.com
- esafe.net
- esafe.org
- europe.f-secure.com
- europe.f-secure.net
- europe.f-secure.org
- fajarweb.com
- fajarweb.net
- fajarweb.org
- forum.vaksin.com
- forum.vaksin.net
- forum.vaksin.org
- free-av.com
- free-av.net
- free-av.org
- f-secure.com
- f-secure.net
- f-secure.org
- grisoft.com
- grisoft.net
- grisoft.org
- icubed.com
- icubed.net
- icubed.org
- infokomputer.com
- infokomputer.net
- infokomputer.org
- it.trendmicro-europe.com
- it.trendmicro-europe.net
- it.trendmicro-europe.org
- jasakom.com
- jasakom.net
- jasakom.org
- jeruk.padinet.com
- jeruk.padinet.net
- jeruk.padinet.org
- kaskus.com
- kaskus.net
- kaskus.org
- kaspersky.com
- kaspersky.net
- kaspersky.org
- kaspersky-labs.com
- kaspersky-labs.net
- kaspersky-labs.org
- liveupdate.symantec.com
- liveupdate.symantec.net
- liveupdate.symantec.org
- liveupdate.symantecliveupdate.com
- liveupdate.symantecliveupdate.net
- liveupdate.symantecliveupdate.org
- mcafee.com
- mcafee.net
- mcafee.org
- mcafeeb2b.com
- mcafeeb2b.net
- mcafeeb2b.org
- mcafeesecurity.com
- mcafeesecurity.net
- mcafeesecurity.org
- nai.com
- nai.net
- nai.org
- norman.com
- norman.net
- norman.org
- norton.com
- norton.net
- norton.org
- ontrack.com
- ontrack.net
- ontrack.org
- padinet.com
- padinet.net
- padinet.org
- pandasoftware.com
- pandasoftware.net
- pandasoftware.org
- perantivirus.com
- perantivirus.net
- perantivirus.org
- playboy.com
- playboy.net
- playboy.org
- pornstargals.com
- pornstargals.net
- pornstargals.org
- sands.com
- sands.net
- sands.org
- sarc.com
- sarc.net
- sarc.org
- secunia.com
- secunia.net
- secunia.org
- securityresponse.symantec.com
- securityresponse.symantec.net
- securityresponse.symantec.org
- sex-mission.com
- sex-mission.net
- sex-mission.org
- sophos.com
- sophos.net
- sophos.org
- symantec.com
- symantec.net
- symantec.org
- trendmicro.com
- trendmicro.net
- trendmicro.org
- trendmicro-europe.com
- trendmicro-europe.net
- trendmicro-europe.org
- update.symantec.com
- update.symantec.net
- update.symantec.org
- vaksin.com
- vaksin.net
- vaksin.org
- vil.nai.com
- vil.nai.net
- vil.nai.org
- virustotal.com
- virustotal.net
- virustotal.org
- winantivirus.com
- winantivirus.net
- winantivirus.org
- www.17tahun.com
- www.17tahun.net
- www.17tahun.org
- www.ae.trendmicro-europe.com
- www.ae.trendmicro-europe.net
- www.ae.trendmicro-europe.org
- www.antivirus.com
- www.anti-virus.com
- www.antivirus.net
- www.anti-virus.net
- www.antivirus.org
- www.anti-virus.org
- www.backup.grisoft.com
- www.backup.grisoft.net
- www.backup.grisoft.org
- www.bhs.com
- www.bhs.net
- www.bhs.org
- www.blog.compactbyte.com
- www.blog.compactbyte.net
- www.blog.compactbyte.org
- www.blogs.compactbyte.com
- www.blogs.compactbyte.net
- www.blogs.compactbyte.org
- www.ca.com
- www.ca.net
- www.ca.org
- www.castlecops.com
- www.castlecops.net
- www.castlecops.org
- www.cheyenne.com
- www.cheyenne.net
- www.cheyenne.org
- www.compactbyte.com
- www.compactbyte.net
- www.compactbyte.org
- www.datafellows.com
- www.datafellows.net
- www.datafellows.org
- www.download.mcafee.com
- www.download.mcafee.net
- www.download.mcafee.org
- www.downloads1.kaspersky-labs.com
- www.downloads1.kaspersky-labs.net
- www.downloads1.kaspersky-labs.org
- www.downloads2.kaspersky-labs.com
- www.downloads2.kaspersky-labs.net
- www.downloads2.kaspersky-labs.org
- www.downloads3.kaspersky-labs.com
- www.downloads3.kaspersky-labs.net
- www.downloads3.kaspersky-labs.org
- www.downloads4.kaspersky-labs.com
- www.downloads4.kaspersky-labs.net
- www.downloads4.kaspersky-labs.org
- www.esafe.com
- www.esafe.net
- www.esafe.org
- www.europe.f-secure.com
- www.europe.f-secure.net
- www.europe.f-secure.org
- www.fajarweb.com
- www.fajarweb.net
- www.fajarweb.org
- www.forum.vaksin.com
- www.forum.vaksin.net
- www.forum.vaksin.org
- www.free-av.com
- www.free-av.net
- www.free-av.org
- www.f-secure.com
- www.f-secure.net
- www.f-secure.org
- www.grisoft.com
- www.grisoft.net
- www.grisoft.org
- www.icubed.com
- www.icubed.net
- www.icubed.org
- www.infokomputer.com
- www.infokomputer.net
- www.infokomputer.org
- www.it.trendmicro-europe.com
- www.it.trendmicro-europe.net
- www.it.trendmicro-europe.org
- www.jasakom.com
- www.jasakom.net
- www.jasakom.org
- www.jeruk.padinet.com
- www.jeruk.padinet.net
- www.jeruk.padinet.org
- www.kaskus.com
- www.kaskus.net
- www.kaskus.org
- www.kaspersky.com
- www.kaspersky.net
- www.kaspersky.org
- www.kaspersky-labs.com
- www.kaspersky-labs.net
- www.kaspersky-labs.org
- www.liveupdate.symantec.com
- www.liveupdate.symantec.net
- www.liveupdate.symantec.org
- www.liveupdate.symantecliveupdate.com
- www.liveupdate.symantecliveupdate.net
- www.liveupdate.symantecliveupdate.org
- www.mcafee.com
- www.mcafee.net
- www.mcafee.org
- www.mcafeeb2b.com
- www.mcafeeb2b.net
- www.mcafeeb2b.org
- www.mcafeesecurity.com
- www.mcafeesecurity.net
- www.mcafeesecurity.org
- www.nai.com
- www.nai.net
- www.nai.org
- www.norman.com
- www.norman.net
- www.norman.org
- www.norton.com
- www.norton.net
- www.norton.org
- www.ontrack.com
- www.ontrack.net
- www.ontrack.org
- www.padinet.com
- www.padinet.net
- www.padinet.org
- www.pandasoftware.com
- www.pandasoftware.net
- www.pandasoftware.org
- www.perantivirus.com
- www.perantivirus.net
- www.perantivirus.org
- www.playboy.com
- www.playboy.net
- www.playboy.org
- www.pornstargals.com
- www.pornstargals.net
- www.pornstargals.org
- www.sands.com
- www.sands.net
- www.sands.org
- www.sarc.com
- www.sarc.net
- www.sarc.org
- www.secunia.com
- www.secunia.net
- www.secunia.org
- www.securityresponse.symantec.com
- www.securityresponse.symantec.net
- www.securityresponse.symantec.org
- www.sex-mission.com
- www.sex-mission.net
- www.sex-mission.org
- www.sophos.com
- www.sophos.net
- www.sophos.org
- www.symantec.com
- www.symantec.net
- www.symantec.org
- www.trendmicro.com
- www.trendmicro.net
- www.trendmicro.org
- www.trendmicro-europe.com
- www.trendmicro-europe.net
- www.trendmicro-europe.org
- www.update.symantec.com
- www.update.symantec.net
- www.update.symantec.org
- www.vaksin.com
- www.vaksin.net
- www.vaksin.org
- www.vil.nai.com
- www.vil.nai.net
- www.vil.nai.org
- www.virustotal.com
- www.virustotal.net
- www.virustotal.org
- www.winantivirus.com
- www.winantivirus.net
- www.winantivirus.org