WORM_RONTOKBRO
Brontok
Windows 2000, Windows XP, Windows Server 2003
Malware-Typ:
Worm
Zerstrerisch?:
Nein
Verschlsselt?:
In the wild::
Ja
Überblick
Ändert die HOSTS-Datei des betroffenen Systems. Dadurch können Benutzer nicht mehr auf bestimmte Websites zugreifen.
Technische Details
Installation
Schleust die folgenden Eigenkopien in das betroffene System ein:
- %Application Data%\{random folder name}\yesbron.com
- %Application Data%\jalak-{random numbers}-bali.com
- %System%\c_{random numbers}k.com
- %System%\{random folder name}\smss.exe
- %System%\{random folder name}\csrss.exe
- %System%\{random folder name}\lsass.exe
- %System%\{random folder name}\m{random numbers}.exe
- %System%\{random folder name}\services.exe
- %System%\{random folder name}\winlogon.exe
- %System%\{random folder name}\{random file name}.exe
- %Windows%\{random file name}.exe
- %Windows%\_default{random numbers}.pif
- %Windows%\{random folder name}\{random file name}.exe
Schleust die folgenden Dateien ein:
- %System Root%\Baca Bro !!!.txt
- %System%\{random folder name}\c.bron.tok.txt
- %System%\{random folder name}\domlist.txt
(Hinweis: %System Root% ist der Stammordner, normalerweise C:\. Dort befindet sich auch das Betriebssystem.. %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows XP und Server 2003.)
Erstellt die folgenden Ordner:
- %Application Data%\{random folder name}
- %System%\{random folder name}
- %System%\{random folder name}\Spread.Mail.Bro
- %System%\{random folder name}\Spread.Sent.Bro
- %Windows%\{random folder name}
(Hinweis: %Application Data% ist der Ordner 'Anwendungsdaten' für den aktuellen Benutzer, normalerweise C:\Windows\Profile\{Benutzername}\Anwendungsdaten unter Windows 98 und ME, C:\WINNT\Profile\{Benutzername}\Anwendungsdaten unter Windows NT und C:\Dokumente und Einstellungen\{Benutzername}\Lokale Einstellungen\Anwendungsdaten unter Windows 2000, XP und Server 2003.. %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows XP und Server 2003.. %Windows% ist der Windows Ordner, normalerweise C:\Windows oder C:\WINNT.)
Autostart-Technik
Fügt folgende Registrierungseinträge hinzu, um bei jedem Systemstart automatisch ausgeführt zu werden.
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\run
{random characters} = "%Application Data%\{random folder name}\yesbron.com"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random characters} = "%System%\{random folder name}\{random file name}.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\run
{random characters} = "%Windows%\_default{random numbers}.pif"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random characters} = "%Windows%\{random file name}.exe"
Ändert die folgenden Registrierungseinträge, um bei jedem Systemstart automatisch ausgeführt zu werden:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe "%Windows%\{random file name}.exe""
(Note: The default value data of the said registry entry is Explorer.exe.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe,%Windows%\{random file name}.exe"
(Note: The default value data of the said registry entry is %System%\userinit.exe,.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot
AlternateShell = "c_{random numbers}k.com"
(Note: The default value data of the said registry entry is cmd.exe.)
Andere Systemänderungen
Fügt die folgenden Registrierungsschlüssel hinzu:
HKEY_CURRENT_USER\Software\Brontok
Fügt die folgenden Registrierungseinträge als Teil der Installationsroutine hinzu:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Schedule
AtTaskMaxHours = "48"
Ändert die folgenden Registrierungseinträge:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "0"
(Note: The default value data of the said registry entry is 1.)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = "1"
(Note: The default value data of the said registry entry is 0.)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"
(Note: The default value data of the said registry entry is 1.)
Änderung der HOSTS-Datei
Ändert die HOSTS-Datei des betroffenen Systems, damit Benutzer nicht mehr auf die folgenden Websites zugreifen können:
- 127.0.0.22 downloads1.kaspersky-labs.net
- 127.0.0.22 downloads1.kaspersky-labs.org
- 127.0.0.22 downloads2.kaspersky-labs.com
- 127.0.0.22 downloads2.kaspersky-labs.net
- 127.0.0.22 downloads2.kaspersky-labs.org
- 127.0.0.22 downloads3.kaspersky-labs.com
- 127.0.0.22 downloads3.kaspersky-labs.net
- 127.0.0.22 downloads3.kaspersky-labs.org
- 127.0.0.22 downloads4.kaspersky-labs.com
- 127.0.0.22 downloads4.kaspersky-labs.net
- 127.0.0.22 downloads4.kaspersky-labs.org
- 127.0.0.22 esafe.com
- 127.0.0.22 esafe.net
- 127.0.0.22 esafe.org
- 127.0.0.22 europe.f-secure.com
- 127.0.0.22 europe.f-secure.net
- 127.0.0.22 europe.f-secure.org
- 127.0.0.22 f-secure.com
- 127.0.0.22 f-secure.net
- 127.0.0.22 f-secure.org
- 127.0.0.22 fajarweb.com
- 127.0.0.22 fajarweb.net
- 127.0.0.22 fajarweb.org
- 127.0.0.22 forum.vaksin.com
- 127.0.0.22 forum.vaksin.net
- 127.0.0.22 forum.vaksin.org
- 127.0.0.22 free-av.com
- 127.0.0.22 free-av.net
- 127.0.0.22 free-av.org
- 127.0.0.22 grisoft.com
- 127.0.0.22 grisoft.net
- 127.0.0.22 grisoft.org
- 127.0.0.22 icubed.com
- 127.0.0.22 icubed.net
- 127.0.0.22 icubed.org
- 127.0.0.22 infokomputer.com
- 127.0.0.22 infokomputer.net
- 127.0.0.22 infokomputer.org
- 127.0.0.22 it.trendmicro-europe.com
- 127.0.0.22 it.trendmicro-europe.net
- 127.0.0.22 it.trendmicro-europe.org
- 127.0.0.22 jasakom.com
- 127.0.0.22 jasakom.net
- 127.0.0.22 jasakom.org
- 127.0.0.22 jeruk.padinet.com
- 127.0.0.22 jeruk.padinet.net
- 127.0.0.22 jeruk.padinet.org
- 127.0.0.22 kaskus.com
- 127.0.0.22 kaskus.net
- 127.0.0.22 kaskus.org
- 127.0.0.22 kaspersky-labs.com
- 127.0.0.22 kaspersky-labs.net
- 127.0.0.22 kaspersky-labs.org
- 127.0.0.22 kaspersky.com
- 127.0.0.22 kaspersky.net
- 127.0.0.22 kaspersky.org
- 127.0.0.22 liveupdate.symantec.com
- 127.0.0.22 liveupdate.symantec.net
- 127.0.0.22 liveupdate.symantec.org
- 127.0.0.22 liveupdate.symantecliveupdate.com
- 127.0.0.22 liveupdate.symantecliveupdate.net
- 127.0.0.22 liveupdate.symantecliveupdate.org
- 127.0.0.22 mcafee.com
- 127.0.0.22 mcafee.net
- 127.0.0.22 mcafee.org
- 127.0.0.22 mcafeeb2b.com
- 127.0.0.22 mcafeeb2b.net
- 127.0.0.22 mcafeeb2b.org
- 127.0.0.22 mcafeesecurity.com
- 127.0.0.22 mcafeesecurity.net
- 127.0.0.22 mcafeesecurity.org
- 127.0.0.22 nai.com
- 127.0.0.22 nai.net
- 127.0.0.22 nai.org
- 127.0.0.22 norman.com
- 127.0.0.22 norman.net
- 127.0.0.22 norman.org
- 127.0.0.22 norton.com
- 127.0.0.22 norton.net
- 127.0.0.22 norton.org
- 127.0.0.22 ontrack.com
- 127.0.0.22 ontrack.net
- 127.0.0.22 ontrack.org
- 127.0.0.22 padinet.com
- 127.0.0.22 padinet.net
- 127.0.0.22 padinet.org
- 127.0.0.22 pandasoftware.com
- 127.0.0.22 pandasoftware.net
- 127.0.0.22 pandasoftware.org
- 127.0.0.22 perantivirus.com
- 127.0.0.22 perantivirus.net
- 127.0.0.22 perantivirus.org
- 127.0.0.22 playboy.com
- 127.0.0.22 playboy.net
- 127.0.0.22 playboy.org
- 127.0.0.22 pornstargals.com
- 127.0.0.22 pornstargals.net
- 127.0.0.22 pornstargals.org
- 127.0.0.22 sands.com
- 127.0.0.22 sands.net
- 127.0.0.22 sands.org
- 127.0.0.22 sarc.com
- 127.0.0.22 sarc.net
- 127.0.0.22 sarc.org
- 127.0.0.22 secunia.com
- 127.0.0.22 secunia.net
- 127.0.0.22 secunia.org
- 127.0.0.22 securityresponse.symantec.com
- 127.0.0.22 securityresponse.symantec.net
- 127.0.0.22 securityresponse.symantec.org
- 127.0.0.22 sex-mission.com
- 127.0.0.22 sex-mission.net
- 127.0.0.22 sex-mission.org
- 127.0.0.22 sophos.com
- 127.0.0.22 sophos.net
- 127.0.0.22 sophos.org
- 127.0.0.22 symantec.com
- 127.0.0.22 symantec.net
- 127.0.0.22 symantec.org
- 127.0.0.22 trendmicro-europe.com
- 127.0.0.22 trendmicro-europe.net
- 127.0.0.22 trendmicro-europe.org
- 127.0.0.22 trendmicro.com
- 127.0.0.22 trendmicro.net
- 127.0.0.22 trendmicro.org
- 127.0.0.22 update.symantec.com
- 127.0.0.22 update.symantec.net
- 127.0.0.22 update.symantec.org
- 127.0.0.22 vaksin.com
- 127.0.0.22 vaksin.net
- 127.0.0.22 vaksin.org
- 127.0.0.22 vil.nai.com
- 127.0.0.22 vil.nai.net
- 127.0.0.22 vil.nai.org
- 127.0.0.22 virustotal.com
- 127.0.0.22 virustotal.net
- 127.0.0.22 virustotal.org
- 127.0.0.22 winantivirus.com
- 127.0.0.22 winantivirus.net
- 127.0.0.22 winantivirus.org
- 127.0.0.22 www.17tahun.com
- 127.0.0.22 www.17tahun.net
- 127.0.0.22 www.17tahun.org
- 127.0.0.22 www.ae.trendmicro-europe.com
- 127.0.0.22 www.ae.trendmicro-europe.net
- 127.0.0.22 www.ae.trendmicro-europe.org
- 127.0.0.22 www.anti-virus.com
- 127.0.0.22 www.anti-virus.net
- 127.0.0.22 www.anti-virus.org
- 127.0.0.22 www.antivirus.com
- 127.0.0.22 www.antivirus.net
- 127.0.0.22 www.antivirus.org
- 127.0.0.22 www.backup.grisoft.com
- 127.0.0.22 www.backup.grisoft.net
- 127.0.0.22 www.backup.grisoft.org
- 127.0.0.22 www.bhs.com
- 127.0.0.22 www.bhs.net
- 127.0.0.22 www.bhs.org
- 127.0.0.22 www.blog.compactbyte.com
- 127.0.0.22 www.blog.compactbyte.net
- 127.0.0.22 www.blog.compactbyte.org
- 127.0.0.22 www.blogs.compactbyte.com
- 127.0.0.22 www.blogs.compactbyte.net
- 127.0.0.22 www.blogs.compactbyte.org
- 127.0.0.22 www.ca.com
- 127.0.0.22 www.ca.net
- 127.0.0.22 www.ca.org
- 127.0.0.22 www.castlecops.com
- 127.0.0.22 www.castlecops.net
- 127.0.0.22 www.castlecops.org
- 127.0.0.22 www.cheyenne.com
- 127.0.0.22 www.cheyenne.net
- 127.0.0.22 www.cheyenne.org
- 127.0.0.22 www.compactbyte.com
- 127.0.0.22 www.compactbyte.net
- 127.0.0.22 www.compactbyte.org
- 127.0.0.22 www.datafellows.com
- 127.0.0.22 www.datafellows.net
- 127.0.0.22 www.datafellows.org
- 127.0.0.22 www.download.mcafee.com
- 127.0.0.22 www.download.mcafee.net
- 127.0.0.22 www.download.mcafee.org
- 127.0.0.22 www.downloads1.kaspersky-labs.com
- 127.0.0.22 www.downloads1.kaspersky-labs.net
- 127.0.0.22 www.downloads1.kaspersky-labs.org
- 127.0.0.22 www.downloads2.kaspersky-labs.com
- 127.0.0.22 www.downloads2.kaspersky-labs.net
- 127.0.0.22 www.downloads2.kaspersky-labs.org
- 127.0.0.22 www.downloads3.kaspersky-labs.com
- 127.0.0.22 www.downloads3.kaspersky-labs.net
- 127.0.0.22 www.downloads3.kaspersky-labs.org
- 127.0.0.22 www.downloads4.kaspersky-labs.com
- 127.0.0.22 www.downloads4.kaspersky-labs.net
- 127.0.0.22 www.downloads4.kaspersky-labs.org
- 127.0.0.22 www.esafe.com
- 127.0.0.22 www.esafe.net
- 127.0.0.22 www.esafe.org
- 127.0.0.22 www.europe.f-secure.com
- 127.0.0.22 www.europe.f-secure.net
- 127.0.0.22 www.europe.f-secure.org
- 127.0.0.22 www.f-secure.com
- 127.0.0.22 www.f-secure.net
- 127.0.0.22 www.f-secure.org
- 127.0.0.22 www.fajarweb.com
- 127.0.0.22 www.fajarweb.net
- 127.0.0.22 www.fajarweb.org
- 127.0.0.22 www.forum.vaksin.com
- 127.0.0.22 www.forum.vaksin.net
- 127.0.0.22 www.forum.vaksin.org
- 127.0.0.22 www.free-av.com
- 127.0.0.22 www.free-av.net
- 127.0.0.22 www.free-av.org
- 127.0.0.22 www.grisoft.com
- 127.0.0.22 www.grisoft.net
- 127.0.0.22 www.grisoft.org
- 127.0.0.22 www.icubed.com
- 127.0.0.22 www.icubed.net
- 127.0.0.22 www.icubed.org
- 127.0.0.22 www.infokomputer.com
- 127.0.0.22 www.infokomputer.net
- 127.0.0.22 www.infokomputer.org
- 127.0.0.22 www.it.trendmicro-europe.com
- 127.0.0.22 www.it.trendmicro-europe.net
- 127.0.0.22 www.it.trendmicro-europe.org
- 127.0.0.22 www.jasakom.com
- 127.0.0.22 www.jasakom.net
- 127.0.0.22 www.jasakom.org
- 127.0.0.22 www.jeruk.padinet.com
- 127.0.0.22 www.jeruk.padinet.net
- 127.0.0.22 www.jeruk.padinet.org
- 127.0.0.22 www.kaskus.com
- 127.0.0.22 www.kaskus.net
- 127.0.0.22 www.kaskus.org
- 127.0.0.22 www.kaspersky-labs.com
- 127.0.0.22 www.kaspersky-labs.net
- 127.0.0.22 www.kaspersky-labs.org
- 127.0.0.22 www.kaspersky.com
- 127.0.0.22 www.kaspersky.net
- 127.0.0.22 www.kaspersky.org
- 127.0.0.22 www.liveupdate.symantec.com
- 127.0.0.22 www.liveupdate.symantec.net
- 127.0.0.22 www.liveupdate.symantec.org
- 127.0.0.22 www.liveupdate.symantecliveupdate.com
- 127.0.0.22 www.liveupdate.symantecliveupdate.net
- 127.0.0.22 www.liveupdate.symantecliveupdate.org
- 127.0.0.22 www.mcafee.com
- 127.0.0.22 www.mcafee.net
- 127.0.0.22 www.mcafee.org
- 127.0.0.22 www.mcafeeb2b.com
- 127.0.0.22 www.mcafeeb2b.net
- 127.0.0.22 www.mcafeeb2b.org
- 127.0.0.22 www.mcafeesecurity.com
- 127.0.0.22 www.mcafeesecurity.net
- 127.0.0.22 www.mcafeesecurity.org
- 127.0.0.22 www.nai.com
- 127.0.0.22 www.nai.net
- 127.0.0.22 www.nai.org
- 127.0.0.22 www.norman.com
- 127.0.0.22 www.norman.net
- 127.0.0.22 www.norman.org
- 127.0.0.22 www.norton.com
- 127.0.0.22 www.norton.net
- 127.0.0.22 www.norton.org
- 127.0.0.22 www.ontrack.com
- 127.0.0.22 www.ontrack.net
- 127.0.0.22 www.ontrack.org
- 127.0.0.22 www.padinet.com
- 127.0.0.22 www.padinet.net
- 127.0.0.22 www.padinet.org
- 127.0.0.22 www.pandasoftware.com
- 127.0.0.22 www.pandasoftware.net
- 127.0.0.22 www.pandasoftware.org
- 127.0.0.22 www.perantivirus.com
- 127.0.0.22 www.perantivirus.net
- 127.0.0.22 www.perantivirus.org
- 127.0.0.22 www.playboy.com
- 127.0.0.22 www.playboy.net
- 127.0.0.22 www.playboy.org
- 127.0.0.22 www.pornstargals.com
- 127.0.0.22 www.pornstargals.net
- 127.0.0.22 www.pornstargals.org
- 127.0.0.22 www.sands.com
- 127.0.0.22 www.sands.net
- 127.0.0.22 www.sands.org
- 127.0.0.22 www.sarc.com
- 127.0.0.22 www.sarc.net
- 127.0.0.22 www.sarc.org
- 127.0.0.22 www.secunia.com
- 127.0.0.22 www.secunia.net
- 127.0.0.22 www.secunia.org
- 127.0.0.22 www.securityresponse.symantec.com
- 127.0.0.22 www.securityresponse.symantec.net
- 127.0.0.22 www.securityresponse.symantec.org
- 127.0.0.22 www.sex-mission.com
- 127.0.0.22 www.sex-mission.net
- 127.0.0.22 www.sex-mission.org
- 127.0.0.22 www.sophos.com
- 127.0.0.22 www.sophos.net
- 127.0.0.22 www.sophos.org
- 127.0.0.22 www.symantec.com
- 127.0.0.22 www.symantec.net
- 127.0.0.22 www.symantec.org
- 127.0.0.22 www.trendmicro-europe.com
- 127.0.0.22 www.trendmicro-europe.net
- 127.0.0.22 www.trendmicro-europe.org
- 127.0.0.22 www.trendmicro.com
- 127.0.0.22 www.trendmicro.net
- 127.0.0.22 www.trendmicro.org
- 127.0.0.22 www.update.symantec.com
- 127.0.0.22 www.update.symantec.net
- 127.0.0.22 www.update.symantec.org
- 127.0.0.22 www.vaksin.com
- 127.0.0.22 www.vaksin.net
- 127.0.0.22 www.vaksin.org
- 127.0.0.22 www.vil.nai.com
- 127.0.0.22 www.vil.nai.net
- 127.0.0.22 www.vil.nai.org
- 127.0.0.22 www.virustotal.com
- 127.0.0.22 www.virustotal.net
- 127.0.0.22 www.virustotal.org
- 127.0.0.22 www.winantivirus.com
- 127.0.0.22 www.winantivirus.net
- 127.0.0.22 www.winantivirus.org
- 127.0.0.22 17tahun.com
- 127.0.0.22 17tahun.net
- 127.0.0.22 17tahun.org
- 127.0.0.22 ae.trendmicro-europe.com
- 127.0.0.22 ae.trendmicro-europe.net
- 127.0.0.22 ae.trendmicro-europe.org
- 127.0.0.22 anti-virus.com
- 127.0.0.22 anti-virus.net
- 127.0.0.22 anti-virus.org
- 127.0.0.22 antivirus.com
- 127.0.0.22 antivirus.net
- 127.0.0.22 antivirus.org
- 127.0.0.22 backup.grisoft.com
- 127.0.0.22 backup.grisoft.net
- 127.0.0.22 backup.grisoft.org
- 127.0.0.22 bhs.com
- 127.0.0.22 bhs.net
- 127.0.0.22 bhs.org
- 127.0.0.22 blog.compactbyte.com
- 127.0.0.22 blog.compactbyte.net
- 127.0.0.22 blog.compactbyte.org
- 127.0.0.22 blogs.compactbyte.com
- 127.0.0.22 blogs.compactbyte.net
- 127.0.0.22 blogs.compactbyte.org
- 127.0.0.22 ca.com
- 127.0.0.22 ca.net
- 127.0.0.22 ca.org
- 127.0.0.22 castlecops.com
- 127.0.0.22 castlecops.net
- 127.0.0.22 castlecops.org
- 127.0.0.22 cheyenne.com
- 127.0.0.22 cheyenne.net
- 127.0.0.22 cheyenne.org
- 127.0.0.22 compactbyte.com
- 127.0.0.22 compactbyte.net
- 127.0.0.22 compactbyte.org
- 127.0.0.22 datafellows.com
- 127.0.0.22 datafellows.net
- 127.0.0.22 datafellows.org
- 127.0.0.22 download.mcafee.com
- 127.0.0.22 download.mcafee.net
- 127.0.0.22 download.mcafee.org
- 127.0.0.22 downloads1.kaspersky-labs.com
- #JowoBot-CrackHost
- #JowoBot-VM Community