Home / malwarePDF  

Worm:Win32/Brontok.P@mm


First posted on 13 May 2013.
Source: Microsoft

Aliases :

Worm:Win32/Brontok.P@mm is also known as Win32/Brontok.worm.43008 (AhnLab), W32/Worm.YIV (Command), Email-Worm.Win32.Brontok.q (Kaspersky), W32/Rontokbro (Norman), Worm/Brontok.C (Avira), Win32.Virut.5 (Dr.Web), Win32/Brontok.AQ worm (ESET), Email-Worm.Win32.Brontok (Ikarus), W32/Rontokbro.gen@MM (McAfee), Trojan.Win32.Mnless.dyr (Rising AV), W32/Brontok-D (Sophos), W32.Rontokbro@mm (Symantec), WORM_RONTKBR.GEN (Trend Micro).

Explanation :



Installation

Worm:Win32/Brontok.P@mm creates copies of itself in %APPDATA% with the following file names:

  • smss.exe
  • services.exe
  • lsass.exe
  • inetinfo.exe
  • csrss.exe
  • winlogon.exe


It creates a copy in %windir% with the file names:

  • shellnew\sempalong.exe
  • eksplorasi.exe


It also creates a copy in <start menu>\Programs\Startup\Empty.pif and %USERPROFILE%\Templates\Brengkolang.com.

Worm:Win32/Brontok.P@mm creates the following folders to store spam email addresses:

  • %APPDATA%\Bron.tok-<random number>-<random number>, for exampleBron.tok-12-6
  • %APPDATA% \Loc.Mail.Bron.Tok
  • %APPDATA% \Ok-SendMail-Bron-tok


It also creates the following files:

  • %APPDATA%\BronFoldNetDomList.txt - Stores shared folder information about any computers it finds in the network
  • %APPDATA%\BronNetDomList.bat - Stores information about collected network shares of computers found in the network
  • %APPDATA%\BronNPath0.txt - Stores details of shared network folder paths
  • %APPDATA%\Kosong.Bron.Tok.txt - Contains information about the worm itself, such as the author
  • %USERPROFILE%\Pictures\about.Brontok.A.html - Contains text information, written in Indonesian


Worm:Win32/Brontok.P@mm modifies the following registry entries to make sure that its copy runs each time Windows starts:

In subkey: HKCU\software\microsoft\windows\currentversion\run
Sets value: "Tok-Cirrhatus"
With data: "%APPDATA%\local\smss.exe"

In subkey: HKLM\software\microsoft\windows\currentversion\run
Sets value: "Bron-Spizaetus"
With data: "%windir%\shellnew\sempalong.exe"

In subkey: HKLM\software\microsoft\windows nt\currentversion\winlogon
Sets value: "Shell"
With data: "Explorer.exe %windir%\eksplorasi.exe"

Worm:Win32/Brontok.P@mm creates the following scheduled task to make sure it runs every day:

  • "at <time> /every:M,T,W,Th,F,S,Su "%Templates%\Brengkolong.com"
Spreads via

Email messages

Worm:Win32/Brontok.P@mm searches for email addresses in files with the following extensions:

  • .ASP
  • .CFM
  • .CSV
  • .DOC
  • .EML
  • .EXE
  • .HTM
  • .HTML
  • .HTT
  • .PDF
  • .PHP
  • .PPT
  • .TXT
  • .WAB
  • .XLS


The worm stores the email addresses that it finds in a file in the folder %APPDATA%\loc.mail.bron.tok.

It sends email messages to these addresses and attaches a copy of itself. We have seen this worm in attachments with names such as winword.exe and xpshare.exe.

Removable drives and shared folders

Worm:Win32/Brontok.P@mm can copy itself to all removable drives and shared folders on your computer, as well as the following %USERPROFILE% locations:

  • My Data Sources
  • My Documents
  • My Ebooks
  • My Music
  • My Pictures
  • My Shapes
  • My Videos
Payload

Connects to a remote server

Worm:Win32/Brontok.P@mm checks if your computer is connected to the Internet by connecting to the following URLs:

  • google.com
  • yahoo.com


If an Internet connection is available, the worm attempts to contact the following URLs to download executable files, including other malware:

  • <removed>.com/sbjsji1/
  • <removed>.com/sbllrro2/
  • <removed>.com/sbltllu3/
  • <removed>.com/sblppt4/
  • <removed>.com/sbllma5/


Note: At the time of analysis, these URLs were not available.

Modifies system settings

The worm modifies the following registry entries to disable registry editing and to hide itself:

In subkey: HKCU\software\microsoft\windows\currentversion\policies\explorer
Sets value: "NoFolderOptions"
With data: "1"

In subkey: HKCU\software\microsoft\windows\currentversion\policies\system
Sets value: "DisableRegistryTools"
With data: "1"

In subkey: HKCU\software\microsoft\windows\currentversion\policies\system
Sets value: "DisableCMD"
With data: "0"

In subkey: HKCU\software\microsoft\windows\currentversion\explorer\advanced
Sets value: "Hidden"
With data: "0"

In subkey: HKCU\software\microsoft\windows\currentversion\explorer\advanced
Sets value: "HideFileExt"
With data: "1"

In subkey: HKCU\software\microsoft\windows\currentversion\explorer\advanced
Sets value: "ShowSuperHidden"
With data: "0"



Analysis by Steven Zhou.

Last update 13 May 2013

 

TOP

Malware :

Family: