Worm.Win32.BRONTOK.CC
Worm:Win32/Brontok@mm (MICROSOFT)
Windows
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware
This Worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
43,403 bytes
Yes
05 Feb 2025
Connects to URLs/IPs, Drops files, Modifies system registry
Arrival Details
This Worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Worm drops the following copies of itself into the affected system and executes them:
- %AppDataLocal%\csrss.exe
- %AppDataLocal%\inetinfo.exe
- %AppDataLocal%\lsass.exe
- %AppDataLocal%\services.exe
- %AppDataLocal%\smss.exe
- %AppDataLocal%\winlogon.exe
(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)
It drops the following copies of itself into the affected system:
- %Application data%\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif
- %Application data%\Microsoft\Windows\Templates\Brengkolang.com
- %System%\drivers\etc\hosts-Denied By-Administrator.com
- %Windows%\KesenjanganSosial.exe
- %Windows%\ShellNew\RakyatKelaparan.exe
- %Windows%\SysWOW64\Administrator's Setting.scr
- %Windows%\SysWOW64\cmd-brontok.exe
It adds the following processes:
- %AppDataLocal%\inetinfo.exe
- %AppDataLocal%\lsass.exe
- %AppDataLocal%\services.exe
- %AppDataLocal%\winlogon.exe
- %AppDataLocal%\smss.exe
- %Windows%\SysWOW64\at.exe at 17:08 /every:M,T,W,Th,F,S,Su "%Application data%\Microsoft\Windows\Templates\Brengkolang.com"
Autostart Technique
This Worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Tok-Cirrhatus =
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Tok-Cirrhatus-3444 = %AppDataLocal%\smss.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Run
Bron-Spizaetus = %Windows%\ShellNew\RakyatKelaparan.exe
It modifies the following registry entries to ensure it automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows NT\CurrentVersion\
Winlogon
Shell = Explorer.exe "%Windows%\KesenjanganSosial.exe"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot
AlternateShell = cmd-brontok.exe
It enables its automatic execution at every system startup by dropping the following copies of itself into the Windows Common Startup folder:
- %Application data%\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif
Other System Modifications
This Worm modifies the following registry entries:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = 1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = 1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
NoFolderOptions = 1
Other Details
This Worm connects to the following possibly malicious URL:
- http://www.{BLOCKED}ies.com/sbllma5/Host15.txt
- http://www.{BLOCKED}ies.com/sbllma5/IN15VLMLWHOX.txt
- http://www.{BLOCKED}o.com
It does the following:
- It uses the at command to add a scheduled task that executes the copies it drops.
- The scheduled task executes the malware every 5:08 PM every day