WORM_BRONTOK.HR
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This worm arrives via removable drives.
It adds certain registry entries to disable the Task Manager. This action prevents users from terminating the malware process, which can usually be done via the Task Manager.
TECHNICAL DETAILS
80,640 bytes
EXE
Yes
19 Aug 2011
Arrival Details
This worm arrives via removable drives.
Installation
This worm drops the following copies of itself into the affected system:
- %System Root%\AUTOEXEC.exe
- %System%\New Folder.exe
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It drops the following files:
- %System Root%\n.txt
- %System Root%\yahoopath.txt
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
New Folder = New Folder.exe
It modifies the following registry entries to ensure it automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = userinit.exe,New Folder.exe
(Note: The default value data of the said registry entry is %system%\userinit.exe,.)
Other System Modifications
This worm adds the following registry entries to disable the Task Manager:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = 1
NOTES:
This worm searches for folders in all physical drives and shared folders then drops copies of itself as {folder name}.EXE. It also searches for folders in all removable drives then drops copies of itself inside the folder as "YahooMail.exe".