about.Brontok.A.html

عندك دودة worm تأتي من الرسائل
Win32/Brontok.worm
حمل هذة الأداة أولاً وإعمل فحص

http://www.sophos.com/support/cleaners/brontgui.com

حمل هذة الأداة

http://www.sophos.com/support/cleaners/brontsfx.exe


معلومات عن الورم
http://www.sophos.com/support/disinfection/worms.html



Home / Viruses / Virus Encyclopedia / Malware Deions / Network Worms / Email Worms
Email-Worm.Win32.Brontok.a
Aliases
Email-Worm.Win32.Brontok.a (Kaspersky Lab) is also known as: W32/Rontokbro.gen@MM (McAfee), W32.Rontokbro@mm (Symantec), BackDoor.Generic.1138 (Doctor Web), W32/Korbo-B (Sophos), Worm/Brontok.a (H+BEDV), Win32.Brontok.A@mm (SOFTWIN), Worm.Mytob.GH (ClamAV), W32/Brontok.C.worm (Panda), Win32/Brontok.E (Eset) Detection added Oct 12 2005 13:16 GMT
Update released Oct 12 2005 17:22 GMT
Deion added Feb 02 2006
Behavior Email Worm
Technical details


This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim machine.

The worm itself is a Windows PE EXE file approximately 41KB in size.

Installation
When installing, the worm copies itself to the directories listed below, under the following names:

%s and Settings%\User\Local Settings\Application Data\csrss.exe
%s and Settings%\User\Local Settings\Application Data\inetinfo.exe
%s and Settings%\User\Local Settings\Application Data\lsass.exe
%s and Settings%\User\Local Settings\Application Data\services.exe
%s and Settings%\User\Local Settings\Application Data\smss.exe
%s and Settings%\User\Local Settings\Application Data\winlogon.exe
%s and Settings%\User\Start Menu\Programs\Startup\Emp ty.pif
%s and Settings%\User\Templates\ WowTumpeh.com
%System%\'s Setting.scr
%Windir%\eksplorasi.pif
%Windir%\ShellNew\bronsta b.exe
The worm then registers itself in the system registry, ensuring that the worm file will be launched each time Windows is rebooted on the victim machine:

[HKLM\Software\Microsoft\W indows\CurrentVersion\Run]
"Bron-Spizaetus"="%Windir%\Shel lNew\bronstab.exe"
[HKLM\Software\Microsoft\W indows\CurrentVersion\Run]
"Tok-Cirrhatus"="%s and Settings%\User\Local Settings\Application Data\smss.exe"

[HKLM\Software\Microsoft\W indows NT\CurrentVersion\Winlogo n]
"Shell"="Explorer.exe %Windir%\eksplorasi.pif"

The worm also modifies the following system registry records, which will block some Windows applications and properties (e.g. system registry, file properties)

[HKCU\Software\Microsoft\W indows\CurrentVersion\Pol icies\Explorer]
"NoFolderOptions"="1"
[HKCU\Software\Microsoft\W indows\CurrentVersion\exp lorer\advanced]
"Hidden"="0"
"ShowSuperHidden"="0"
"HideFileExt"="1"

[HKCU\Software\Microsoft\W indows\CurrentVersion\Pol icies\System]
"DisableRegistryTools"="1 "
"DisableCMD"="0"


The worm creates the following folder:

%s and Settings%\User\Local Settings\Application Data\Bron.tok-XX
XX: two random numbers.

Propagation via email
The worm harvests email addresses from files with the following extensions:

asp
cfm
csv
doc
eml
html
php
txt
wab
It does not harvest addresses which contain the following strings:

ADMIN
AHNLAB
ALADDIN
ALERT
ALWIL
ANTIGEN
ASSOCIATE
AVAST
AVIRA
BILLING@
BUILDER
CILLIN
CONTOH
CRACK
DATABASE
DEVELOP
ESAFE
ESAVE
ESCAN
EXAMPLE
GRISOFT
HAURI
INFO@
LINUX
MASTER
MICROSOFT
NETWORK
NOD32
NORMAN
NORTON
PANDA
PROGRAM
PROLAND
PROTECT
ROBOT
SECURITY
SOURCE
SYBARI
SYMANTEC
TRUST
UPDATE
VAKSIN
VAKSIN
VIRUS
When sending infected messages, it establishes a direct connection to the recipient's SMTP engine.

Infected messages
Message subject

Attachment names
Kangen.exe
Other
If the worm finds an open window with the following strings in the name, it will reboot the victim machine:

.exe
Registry