W32/Brontok-BR

Category: Viruses and Spyware Protection available since:27 Sep 2006 00:00:00 (GMT)
Type: Win32 worm Last Updated:27 Sep 2006 00:00:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Brontok-BR is a worm for the Windows platform.

W32/Brontok-BR will also overwrite the HOSTS file so as to prevent access to various anti-virus and security related websites. W32/Brontok-BR is a worm for the Windows platform.

When first run W32/Brontok-BR copies itself to:

<User>\Local Settings\Application Data\dv6122400x\yesbron.com
<User>\Local Settings\Application Data\jalak-931224015-bali.com
<Windows>\_default32142.pif
<Windows>\j6321422.exe
<Windows>\o4321427.exe
<Windows>\sa13188\ib6108.exe
<System>\c_32142k.com
<System>\n5817\b6108.exe
<System>\n5817\csrss.exe
<System>\n5817\lsass.exe
<System>\n5817\services.exe
<System>\n5817\smss.exe
<System>\n5817\sv711224030r.exe
<System>\n5817\winlogon.exe

and creates the following non-malicious files:

\Baca Bro !!!.txt
<Windows>\Tasks\At1.job
<Windows>\Tasks\At2.job
<System>\n5817\c.bron.tok.txt

These files may be safely deleted.

W32/Brontok-BR may install a new version of the file <System>\msvbvm60.dll.

The following registry entries are created to run yesbron.com, _default32142.pif, j6321422.exe and sv711224030r.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
y1959sar
<User>\Local Settings\Application Data\dv6122400x\yesbron.com

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
A5118r
<Windows>\_default32142.pif

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
y1959sar
<System>\n5817\sv711224030r.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
A5118r
<Windows>\j6321422.exe

The following registry entries are changed to run j6321422.exe and o4321427.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows>\o4321427.exe"

(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<Windows>\j6321422.exe

(the default value for this registry entry is "<Windows>\System32\userinit.exe,").

The following registry entry is set, disabling the registry editor (regedit):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

Registry entries are set as follows:

HKCU\Software\Brontok
Message
Look @ "C:\Baca Bro !!!.txt"

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

Registry entries are created under:

HKCU\Software\Brontok\

W32/Brontok-BR will also overwrite the HOSTS file so as to prevent access to various anti-virus and security related websites.

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy