WORM_BRONTOK.AE

 Analysis by: Marfel Tiamzon

 ALIASES:

Kaspersky: Virus.Win32.VB.mp, Backdoor.Win32.IRCBot.pbr, Virus.Win32.VB.bg; Microsoft: Worm:Win32/Brontok.FFV; Norton: W32.SillyFDC

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This worm arrives by connecting affected removable drives to a system. It arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops copies of itself in all removable drives.

  TECHNICAL DETAILS

File Size:

49,152 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

12 Oct 2011

Arrival Details

This worm arrives by connecting affected removable drives to a system.

It arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following files:

  • %System Root%\msvbvm60.dll
  • %System%\dllchache\msvbvm60.dll
  • %System%\dllcache\msvbvm60.dll
  • %System Root%\(Read Me)Pendekar Blank.txt

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %System% is the Windows system folder, which is usually C:\Windows\System32.)

It drops the following copies of itself into the affected system:

  • %System%\dllchache\Zero.txt
  • %System%\dllchache.exe
  • %System%\dllchache\Unoccupied.reg
  • %System%\dllcache\Shell32.com
  • %System%\rund1132.exe
  • %System%\M5VBVM60.EXE
  • %System%\dllcache\Regedit32.com
  • %WINDOWS%\system32.exe
  • %System Root%\AUT0EXEC.BAT
  • %System%\dllchache\Hole.zip
  • %System%\dllchache\Empty.jpg
  • %System%\dllchache\Blank.doc

It creates the following folders:

  • %System32%\dllchache

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Secure64 = "%System%\dllcache\Regedit32.com StartUp"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Secure32 = "%System%\dllcache\Shell32.com StartUp"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Blank AntiViri = "%System Root%\AUT0EXEC.BAT StartUp"

Other System Modifications

This worm modifies the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_CLASSES_ROOT\comfile\shell\
open\command
@ = "%System%\rund1132.exe %1"

(Note: The default value data of the said registry entry is "%1" %*.)

HKEY_CLASSES_ROOT\txtfile\shell\
open\command
@ = "%System%\rund1132.exe %1"

(Note: The default value data of the said registry entry is %SystemRoot%\system32\NOTEPAD.EXE %1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
CabinetState
FullPath = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
comfile\shell\open\
command
@ = "%System%\rund1132.exe %1"

(Note: The default value data of the said registry entry is "%1" %*.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
txtfile\shell\open\
command
@ = "%System%\rund1132.exe %1"

(Note: The default value data of the said registry entry is %SystemRoot%\system32\NOTEPAD.EXE %1 .)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe, "%system%\M5VBVM60.EXE StartUp""

(Note: The default value data of the said registry entry is %System%\userinit.exe,.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot
AlternateShell = "%System Root%\AUT0EXEC.BAT StartUp"

(Note: The default value data of the said registry entry is cmd.exe.)

Propagation

This worm drops copies of itself in all removable drives.

Dropping Routine

This worm sets the attributes of its dropped file(s) to the following:

  • Read Only
  • Hidden
  • System