|
|
|  |
|
|
|
|
F-Secure Malware Information Pages: Net-Worm:W32/Brontok.B
|
|
|
| Radar |
 |
|
|
|
Summary
|
Net-Worm:W32/Brontok.B copies a file to the Windows folder, creates a Registry key to start the file automatically, and copies itself to startup folders.
Net-Worm:W32/Brontok.B disables certain features of the operating system. |
|
|
|
Disinfection
|
To fix executable file associations after disinfection please download and run the following Registry fix:
ftp://ftp.f-secure.com/anti-virus/tools/brontok_fix.reg |
|
|
|
Detailed Description
|
On execution, the first noticeable characteristic from this malware is the termination of applications such as CMD, regedit, and other EXE files.
The following are the files being dropped:
- C:\AUTORUN.INF
- C:\Documents and Settings\\Local Settings\Temp\~DF1A17.tmp
- C:\Documents and Settings\All Users\Start Menu\Programs
\Startup\Empty.pif - C:\WINDOWS\Autorun.inf
- C:\WINDOWS\Web\shell.exe
- C:\WINDOWS\winme.exe
- C:\winme.exe
To automatically start with Windows, the following registry entry is created:
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run\]
winme = C:\WINDOWS\winme.exe
Added registry entry:
- [HKCR\lnkfile\shell\open\command\]
(default) = "C:\WINDOWS\web\shell.exe" "%1" %*
It also modifies these registry entries with the following data:
- [HKCR\batfile\shell\open\command]
(default) = "C:\WINDOWS\web\shell.exe" "%1" %* - [HKCR\comfile\shell\open\command]
(default) = "C:\WINDOWS\web\shell.exe" "%1" %* - [HKCR\exefile\shell\open\command]
(default) = "C:\WINDOWS\web\shell.exe" "%1" %* - [HKCR\piffile\shell\open\command]
(default) = "C:\WINDOWS\web\shell.exe" "%1" %* - [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
Hidden = 1
HideFileExt = 1
ShowSuperHidden = 1 - [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
DisableTaskMgr = 1
DisableRegistryTools = 1
DisableCMD = 1 - [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Nofolderoptions = 1 - [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
DisableTaskMgr = 1
DisableRegistryTools = 1 - [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
NoFolderOptions = 1 - [HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer]
DisableMSI = 1 - [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
DisableConfig = 1
DisableSR = 1 - [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Shell = Explorer.exe "C:\WINDOWS\winme.exe"
Userinit = C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\winme.exe - [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\
AlternateShell = C:\WINDOWS\winme.exe - [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\
AlternateShell = C:\WINDOWS\winme.exe
Processes with the following strings are also terminated by this malware:
- ANT
- ASM
- AVAST
- BUG
- CONF
- CONSO
- DBG
- DETEC
- INSTALL
- KASP
- MCAFEE
- NOD
- NORTON
- NTVDM
- OPEN
- PLAY
- PROC
- REG
- REMOV
- SCAN
- SECUR
- SUPPO
- TASK
- UPDAT
- UPG
- VIR
- W32
- WALK
It may also open a browser attempting to connect to the following URLs:
- http://security.symantec.com
- http://www.symantec.com
It will also create AUTORUN.INF files and copy itself to available removable media (USB drives) to allow itself to propagate.
Furthermore, this malware will not do any system changes if its filename is any of the following:
- AutoPro.exe
- mdefault.exe
- mcagent.exe
- mcshield.exe
|
|
|
|
Detection
|
F-Secure Anti-Virus detects this malware with the following updates: [FSAV_Database_Version] Version = 2007-06-14_03.
|
|
|
|
F-Secure Corporation |
|
|
|
|
|
Last Modified: June 15, 2007
|
|
|
|
|
