WORM_BRONTOK
Brontok
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Earlier variants of the RONTOKBRO malware family were first spotted in 2005. Also known as BRONTOK, this malware family was said to originate from Indonesia, home to the brontok bird, a kind of hawk-eagle.
RONTOKBRO malware self-replicate and thus are categorized as worms. These worms typically spread across systems via removable drives. Earlier versions of this malware spread to other systems by harvesting email addresses from affected systems and sending out copies of itself via SMTP.
It also prevents users from accessing the Windows registry editor. This routine enables this malware family to avoid easy removal from affected computers.
This worm modifies the affected system's HOSTS files. This prevents users from accessing certain websites.
TECHNICAL DETAILS
Installation
This worm drops the following copies of itself into the affected system:
- %Application Data%\{random folder name}\yesbron.com
- %Application Data%\jalak-{random numbers}-bali.com
- %System%\c_{random numbers}k.com
- %System%\{random folder name}\smss.exe
- %System%\{random folder name}\csrss.exe
- %System%\{random folder name}\lsass.exe
- %System%\{random folder name}\m{random numbers}.exe
- %System%\{random folder name}\services.exe
- %System%\{random folder name}\winlogon.exe
- %System%\{random folder name}\{random file name}.exe
- %Windows%\{random file name}.exe
- %Windows%\_default{random numbers}.pif
- %Windows%\{random folder name}\{random file name}.exe
It drops the following files:
- %System Root%\Baca Bro !!!.txt
- %System%\{random folder name}\c.bron.tok.txt
- %System%\{random folder name}\domlist.txt
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %System% is the Windows system folder, which is usually C:\Windows\System32.)
It creates the following folders:
- %Application Data%\{random folder name}
- %System%\{random folder name}
- %System%\{random folder name}\Spread.Mail.Bro
- %System%\{random folder name}\Spread.Sent.Bro
- %Windows%\{random folder name}
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %System% is the Windows system folder, which is usually C:\Windows\System32.. %Windows% is the Windows folder, which is usually C:\Windows.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\run
{random characters} = "%Application Data%\{random folder name}\yesbron.com"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random characters} = "%System%\{random folder name}\{random file name}.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\run
{random characters} = "%Windows%\_default{random numbers}.pif"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random characters} = "%Windows%\{random file name}.exe"
It modifies the following registry entries to ensure it automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe "%Windows%\{random file name}.exe""
(Note: The default value data of the said registry entry is Explorer.exe.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe,%Windows%\{random file name}.exe"
(Note: The default value data of the said registry entry is %System%\userinit.exe,.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot
AlternateShell = "c_{random numbers}k.com"
(Note: The default value data of the said registry entry is cmd.exe.)
Other System Modifications
This worm adds the following registry keys:
HKEY_CURRENT_USER\Software\Brontok
It adds the following registry entries as part of its installation routine:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Schedule
AtTaskMaxHours = "48"
It modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "0"
(Note: The default value data of the said registry entry is 1.)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = "1"
(Note: The default value data of the said registry entry is 0.)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"
(Note: The default value data of the said registry entry is 1.)
HOSTS File Modification
This worm modifies the affected system's HOSTS files to prevent a user from accessing the following websites:
- 127.0.0.22 17tahun.com
- 127.0.0.22 17tahun.net
- 127.0.0.22 17tahun.org
- 127.0.0.22 ae.trendmicro-europe.com
- 127.0.0.22 ae.trendmicro-europe.net
- 127.0.0.22 ae.trendmicro-europe.org
- 127.0.0.22 anti-virus.com
- 127.0.0.22 anti-virus.net
- 127.0.0.22 anti-virus.org
- 127.0.0.22 antivirus.com
- 127.0.0.22 antivirus.net
- 127.0.0.22 antivirus.org
- 127.0.0.22 backup.grisoft.com
- 127.0.0.22 backup.grisoft.net
- 127.0.0.22 backup.grisoft.org
- 127.0.0.22 bhs.com
- 127.0.0.22 bhs.net
- 127.0.0.22 bhs.org
- 127.0.0.22 blog.compactbyte.com
- 127.0.0.22 blog.compactbyte.net
- 127.0.0.22 blog.compactbyte.org
- 127.0.0.22 blogs.compactbyte.com
- 127.0.0.22 blogs.compactbyte.net
- 127.0.0.22 blogs.compactbyte.org
- 127.0.0.22 ca.com
- 127.0.0.22 ca.net
- 127.0.0.22 ca.org
- 127.0.0.22 castlecops.com
- 127.0.0.22 castlecops.net
- 127.0.0.22 castlecops.org
- 127.0.0.22 cheyenne.com
- 127.0.0.22 cheyenne.net
- 127.0.0.22 cheyenne.org
- 127.0.0.22 compactbyte.com
- 127.0.0.22 compactbyte.net
- 127.0.0.22 compactbyte.org
- 127.0.0.22 datafellows.com
- 127.0.0.22 datafellows.net
- 127.0.0.22 datafellows.org
- 127.0.0.22 download.mcafee.com
- 127.0.0.22 download.mcafee.net
- 127.0.0.22 download.mcafee.org
- 127.0.0.22 downloads1.kaspersky-labs.com
- 127.0.0.22 downloads1.kaspersky-labs.net
- 127.0.0.22 downloads1.kaspersky-labs.org
- 127.0.0.22 downloads2.kaspersky-labs.com
- 127.0.0.22 downloads2.kaspersky-labs.net
- 127.0.0.22 downloads2.kaspersky-labs.org
- 127.0.0.22 downloads3.kaspersky-labs.com
- 127.0.0.22 downloads3.kaspersky-labs.net
- 127.0.0.22 downloads3.kaspersky-labs.org
- 127.0.0.22 downloads4.kaspersky-labs.com
- 127.0.0.22 downloads4.kaspersky-labs.net
- 127.0.0.22 downloads4.kaspersky-labs.org
- 127.0.0.22 esafe.com
- 127.0.0.22 esafe.net
- 127.0.0.22 esafe.org
- 127.0.0.22 europe.f-secure.com
- 127.0.0.22 europe.f-secure.net
- 127.0.0.22 europe.f-secure.org
- 127.0.0.22 f-secure.com
- 127.0.0.22 f-secure.net
- 127.0.0.22 f-secure.org
- 127.0.0.22 fajarweb.com
- 127.0.0.22 fajarweb.net
- 127.0.0.22 fajarweb.org
- 127.0.0.22 forum.vaksin.com
- 127.0.0.22 forum.vaksin.net
- 127.0.0.22 forum.vaksin.org
- 127.0.0.22 free-av.com
- 127.0.0.22 free-av.net
- 127.0.0.22 free-av.org
- 127.0.0.22 grisoft.com
- 127.0.0.22 grisoft.net
- 127.0.0.22 grisoft.org
- 127.0.0.22 icubed.com
- 127.0.0.22 icubed.net
- 127.0.0.22 icubed.org
- 127.0.0.22 infokomputer.com
- 127.0.0.22 infokomputer.net
- 127.0.0.22 infokomputer.org
- 127.0.0.22 it.trendmicro-europe.com
- 127.0.0.22 it.trendmicro-europe.net
- 127.0.0.22 it.trendmicro-europe.org
- 127.0.0.22 jasakom.com
- 127.0.0.22 jasakom.net
- 127.0.0.22 jasakom.org
- 127.0.0.22 jeruk.padinet.com
- 127.0.0.22 jeruk.padinet.net
- 127.0.0.22 jeruk.padinet.org
- 127.0.0.22 kaskus.com
- 127.0.0.22 kaskus.net
- 127.0.0.22 kaskus.org
- 127.0.0.22 kaspersky-labs.com
- 127.0.0.22 kaspersky-labs.net
- 127.0.0.22 kaspersky-labs.org
- 127.0.0.22 kaspersky.com
- 127.0.0.22 kaspersky.net
- 127.0.0.22 kaspersky.org
- 127.0.0.22 liveupdate.symantec.com
- 127.0.0.22 liveupdate.symantec.net
- 127.0.0.22 liveupdate.symantec.org
- 127.0.0.22 liveupdate.symantecliveupdate.com
- 127.0.0.22 liveupdate.symantecliveupdate.net
- 127.0.0.22 liveupdate.symantecliveupdate.org
- 127.0.0.22 mcafee.com
- 127.0.0.22 mcafee.net
- 127.0.0.22 mcafee.org
- 127.0.0.22 mcafeeb2b.com
- 127.0.0.22 mcafeeb2b.net
- 127.0.0.22 mcafeeb2b.org
- 127.0.0.22 mcafeesecurity.com
- 127.0.0.22 mcafeesecurity.net
- 127.0.0.22 mcafeesecurity.org
- 127.0.0.22 nai.com
- 127.0.0.22 nai.net
- 127.0.0.22 nai.org
- 127.0.0.22 norman.com
- 127.0.0.22 norman.net
- 127.0.0.22 norman.org
- 127.0.0.22 norton.com
- 127.0.0.22 norton.net
- 127.0.0.22 norton.org
- 127.0.0.22 ontrack.com
- 127.0.0.22 ontrack.net
- 127.0.0.22 ontrack.org
- 127.0.0.22 padinet.com
- 127.0.0.22 padinet.net
- 127.0.0.22 padinet.org
- 127.0.0.22 pandasoftware.com
- 127.0.0.22 pandasoftware.net
- 127.0.0.22 pandasoftware.org
- 127.0.0.22 perantivirus.com
- 127.0.0.22 perantivirus.net
- 127.0.0.22 perantivirus.org
- 127.0.0.22 playboy.com
- 127.0.0.22 playboy.net
- 127.0.0.22 playboy.org
- 127.0.0.22 pornstargals.com
- 127.0.0.22 pornstargals.net
- 127.0.0.22 pornstargals.org
- 127.0.0.22 sands.com
- 127.0.0.22 sands.net
- 127.0.0.22 sands.org
- 127.0.0.22 sarc.com
- 127.0.0.22 sarc.net
- 127.0.0.22 sarc.org
- 127.0.0.22 secunia.com
- 127.0.0.22 secunia.net
- 127.0.0.22 secunia.org
- 127.0.0.22 securityresponse.symantec.com
- 127.0.0.22 securityresponse.symantec.net
- 127.0.0.22 securityresponse.symantec.org
- 127.0.0.22 sex-mission.com
- 127.0.0.22 sex-mission.net
- 127.0.0.22 sex-mission.org
- 127.0.0.22 sophos.com
- 127.0.0.22 sophos.net
- 127.0.0.22 sophos.org
- 127.0.0.22 symantec.com
- 127.0.0.22 symantec.net
- 127.0.0.22 symantec.org
- 127.0.0.22 trendmicro-europe.com
- 127.0.0.22 trendmicro-europe.net
- 127.0.0.22 trendmicro-europe.org
- 127.0.0.22 trendmicro.com
- 127.0.0.22 trendmicro.net
- 127.0.0.22 trendmicro.org
- 127.0.0.22 update.symantec.com
- 127.0.0.22 update.symantec.net
- 127.0.0.22 update.symantec.org
- 127.0.0.22 vaksin.com
- 127.0.0.22 vaksin.net
- 127.0.0.22 vaksin.org
- 127.0.0.22 vil.nai.com
- 127.0.0.22 vil.nai.net
- 127.0.0.22 vil.nai.org
- 127.0.0.22 virustotal.com
- 127.0.0.22 virustotal.net
- 127.0.0.22 virustotal.org
- 127.0.0.22 winantivirus.com
- 127.0.0.22 winantivirus.net
- 127.0.0.22 winantivirus.org
- 127.0.0.22 www.17tahun.com
- 127.0.0.22 www.17tahun.net
- 127.0.0.22 www.17tahun.org
- 127.0.0.22 www.ae.trendmicro-europe.com
- 127.0.0.22 www.ae.trendmicro-europe.net
- 127.0.0.22 www.ae.trendmicro-europe.org
- 127.0.0.22 www.anti-virus.com
- 127.0.0.22 www.anti-virus.net
- 127.0.0.22 www.anti-virus.org
- 127.0.0.22 www.antivirus.com
- 127.0.0.22 www.antivirus.net
- 127.0.0.22 www.antivirus.org
- 127.0.0.22 www.backup.grisoft.com
- 127.0.0.22 www.backup.grisoft.net
- 127.0.0.22 www.backup.grisoft.org
- 127.0.0.22 www.bhs.com
- 127.0.0.22 www.bhs.net
- 127.0.0.22 www.bhs.org
- 127.0.0.22 www.blog.compactbyte.com
- 127.0.0.22 www.blog.compactbyte.net
- 127.0.0.22 www.blog.compactbyte.org
- 127.0.0.22 www.blogs.compactbyte.com
- 127.0.0.22 www.blogs.compactbyte.net
- 127.0.0.22 www.blogs.compactbyte.org
- 127.0.0.22 www.ca.com
- 127.0.0.22 www.ca.net
- 127.0.0.22 www.ca.org
- 127.0.0.22 www.castlecops.com
- 127.0.0.22 www.castlecops.net
- 127.0.0.22 www.castlecops.org
- 127.0.0.22 www.cheyenne.com
- 127.0.0.22 www.cheyenne.net
- 127.0.0.22 www.cheyenne.org
- 127.0.0.22 www.compactbyte.com
- 127.0.0.22 www.compactbyte.net
- 127.0.0.22 www.compactbyte.org
- 127.0.0.22 www.datafellows.com
- 127.0.0.22 www.datafellows.net
- 127.0.0.22 www.datafellows.org
- 127.0.0.22 www.download.mcafee.com
- 127.0.0.22 www.download.mcafee.net
- 127.0.0.22 www.download.mcafee.org
- 127.0.0.22 www.downloads1.kaspersky-labs.com
- 127.0.0.22 www.downloads1.kaspersky-labs.net
- 127.0.0.22 www.downloads1.kaspersky-labs.org
- 127.0.0.22 www.downloads2.kaspersky-labs.com
- 127.0.0.22 www.downloads2.kaspersky-labs.net
- 127.0.0.22 www.downloads2.kaspersky-labs.org
- 127.0.0.22 www.downloads3.kaspersky-labs.com
- 127.0.0.22 www.downloads3.kaspersky-labs.net
- 127.0.0.22 www.downloads3.kaspersky-labs.org
- 127.0.0.22 www.downloads4.kaspersky-labs.com
- 127.0.0.22 www.downloads4.kaspersky-labs.net
- 127.0.0.22 www.downloads4.kaspersky-labs.org
- 127.0.0.22 www.esafe.com
- 127.0.0.22 www.esafe.net
- 127.0.0.22 www.esafe.org
- 127.0.0.22 www.europe.f-secure.com
- 127.0.0.22 www.europe.f-secure.net
- 127.0.0.22 www.europe.f-secure.org
- 127.0.0.22 www.f-secure.com
- 127.0.0.22 www.f-secure.net
- 127.0.0.22 www.f-secure.org
- 127.0.0.22 www.fajarweb.com
- 127.0.0.22 www.fajarweb.net
- 127.0.0.22 www.fajarweb.org
- 127.0.0.22 www.forum.vaksin.com
- 127.0.0.22 www.forum.vaksin.net
- 127.0.0.22 www.forum.vaksin.org
- 127.0.0.22 www.free-av.com
- 127.0.0.22 www.free-av.net
- 127.0.0.22 www.free-av.org
- 127.0.0.22 www.grisoft.com
- 127.0.0.22 www.grisoft.net
- 127.0.0.22 www.grisoft.org
- 127.0.0.22 www.icubed.com
- 127.0.0.22 www.icubed.net
- 127.0.0.22 www.icubed.org
- 127.0.0.22 www.infokomputer.com
- 127.0.0.22 www.infokomputer.net
- 127.0.0.22 www.infokomputer.org
- 127.0.0.22 www.it.trendmicro-europe.com
- 127.0.0.22 www.it.trendmicro-europe.net
- 127.0.0.22 www.it.trendmicro-europe.org
- 127.0.0.22 www.jasakom.com
- 127.0.0.22 www.jasakom.net
- 127.0.0.22 www.jasakom.org
- 127.0.0.22 www.jeruk.padinet.com
- 127.0.0.22 www.jeruk.padinet.net
- 127.0.0.22 www.jeruk.padinet.org
- 127.0.0.22 www.kaskus.com
- 127.0.0.22 www.kaskus.net
- 127.0.0.22 www.kaskus.org
- 127.0.0.22 www.kaspersky-labs.com
- 127.0.0.22 www.kaspersky-labs.net
- 127.0.0.22 www.kaspersky-labs.org
- 127.0.0.22 www.kaspersky.com
- 127.0.0.22 www.kaspersky.net
- 127.0.0.22 www.kaspersky.org
- 127.0.0.22 www.liveupdate.symantec.com
- 127.0.0.22 www.liveupdate.symantec.net
- 127.0.0.22 www.liveupdate.symantec.org
- 127.0.0.22 www.liveupdate.symantecliveupdate.com
- 127.0.0.22 www.liveupdate.symantecliveupdate.net
- 127.0.0.22 www.liveupdate.symantecliveupdate.org
- 127.0.0.22 www.mcafee.com
- 127.0.0.22 www.mcafee.net
- 127.0.0.22 www.mcafee.org
- 127.0.0.22 www.mcafeeb2b.com
- 127.0.0.22 www.mcafeeb2b.net
- 127.0.0.22 www.mcafeeb2b.org
- 127.0.0.22 www.mcafeesecurity.com
- 127.0.0.22 www.mcafeesecurity.net
- 127.0.0.22 www.mcafeesecurity.org
- 127.0.0.22 www.nai.com
- 127.0.0.22 www.nai.net
- 127.0.0.22 www.nai.org
- 127.0.0.22 www.norman.com
- 127.0.0.22 www.norman.net
- 127.0.0.22 www.norman.org
- 127.0.0.22 www.norton.com
- 127.0.0.22 www.norton.net
- 127.0.0.22 www.norton.org
- 127.0.0.22 www.ontrack.com
- 127.0.0.22 www.ontrack.net
- 127.0.0.22 www.ontrack.org
- 127.0.0.22 www.padinet.com
- 127.0.0.22 www.padinet.net
- 127.0.0.22 www.padinet.org
- 127.0.0.22 www.pandasoftware.com
- 127.0.0.22 www.pandasoftware.net
- 127.0.0.22 www.pandasoftware.org
- 127.0.0.22 www.perantivirus.com
- 127.0.0.22 www.perantivirus.net
- 127.0.0.22 www.perantivirus.org
- 127.0.0.22 www.playboy.com
- 127.0.0.22 www.playboy.net
- 127.0.0.22 www.playboy.org
- 127.0.0.22 www.pornstargals.com
- 127.0.0.22 www.pornstargals.net
- 127.0.0.22 www.pornstargals.org
- 127.0.0.22 www.sands.com
- 127.0.0.22 www.sands.net
- 127.0.0.22 www.sands.org
- 127.0.0.22 www.sarc.com
- 127.0.0.22 www.sarc.net
- 127.0.0.22 www.sarc.org
- 127.0.0.22 www.secunia.com
- 127.0.0.22 www.secunia.net
- 127.0.0.22 www.secunia.org
- 127.0.0.22 www.securityresponse.symantec.com
- 127.0.0.22 www.securityresponse.symantec.net
- 127.0.0.22 www.securityresponse.symantec.org
- 127.0.0.22 www.sex-mission.com
- 127.0.0.22 www.sex-mission.net
- 127.0.0.22 www.sex-mission.org
- 127.0.0.22 www.sophos.com
- 127.0.0.22 www.sophos.net
- 127.0.0.22 www.sophos.org
- 127.0.0.22 www.symantec.com
- 127.0.0.22 www.symantec.net
- 127.0.0.22 www.symantec.org
- 127.0.0.22 www.trendmicro-europe.com
- 127.0.0.22 www.trendmicro-europe.net
- 127.0.0.22 www.trendmicro-europe.org
- 127.0.0.22 www.trendmicro.com
- 127.0.0.22 www.trendmicro.net
- 127.0.0.22 www.trendmicro.org
- 127.0.0.22 www.update.symantec.com
- 127.0.0.22 www.update.symantec.net
- 127.0.0.22 www.update.symantec.org
- 127.0.0.22 www.vaksin.com
- 127.0.0.22 www.vaksin.net
- 127.0.0.22 www.vaksin.org
- 127.0.0.22 www.vil.nai.com
- 127.0.0.22 www.vil.nai.net
- 127.0.0.22 www.vil.nai.org
- 127.0.0.22 www.virustotal.com
- 127.0.0.22 www.virustotal.net
- 127.0.0.22 www.virustotal.org
- 127.0.0.22 www.winantivirus.com
- 127.0.0.22 www.winantivirus.net
- 127.0.0.22 www.winantivirus.org
- #JowoBot-CrackHost
- #JowoBot-VM Community
Other Details
This worm connects to the following possibly malicious URL:
- http://www.{BLOCKED}ee.org/Arts/bddwyrk/inf22.css
- http://{BLOCKED}ng.com/WS1/cgi/x.cgi?NAVG=Tracker&username=dudxwd