W32/Brontok-DP is a worm for the Windows platform.
W32/Brontok-DP will attempt to copy itself to network and removable drives. The worm will also create an autorun.inf file so that it is automatically run when the drive is accessed.
W32/Brontok-DP is a worm for the Windows platform.
W32/Brontok-DP will attempt to copy itself to network and removable drives, using filenames including Music.exe and Default.pif. The worm will also create an autorun.inf file so that it is automatically run when the drive is accessed. The worm also spreads to other network computers.
When first run W32/Brontok-DP copies itself to:
<User>\Documents\Music.exe
<Startup>\Default.pif
<Root>\Windowxp\explorer.exe
<Windows>\Fonts\smss.exe
<Windows>\System32.exe
<System>\dllcache\services.exe
<System>\oobe\isperror\csrss.exe
and creates the following files:
<Root>\autorun.inf
<Windows>\SoftWareProtector\smss_out.pr
<Windows>\winxp.inf
The following registry entry is changed to run W32/Brontok-DP on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<Windows>\fonts\smss.exe
The following registry entries are set or modified, so that csrss.exe is run when files with extensions of BAT, COM, EXE and PIF are opened/launched:
HKCR\lnkfile\shell\open\command
(default)
<System>\oobe\isperror\csrss.exe" "%1" %*
HKCR\batfile\shell\open\command
(default)
<System>\oobe\isperror\csrss.exe" "%1" %*
HKCR\comfile\shell\open\command
(default)
<System>\oobe\isperror\csrss.exe" "%1" %*
HKCR\exefile\shell\open\command
(default)
<System>\oobe\isperror\csrss.exe" "%1" %*
HKCR\piffile\shell\open\command
(default)
<System>\oobe\isperror\csrss.exe" "%1" %*
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HideClock
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDrives
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoShellSearchButton
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSimpleStartMenu
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDesktop
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
00
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
00
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoControlPanel
00
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
kbao
AUTO.TXT
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
00
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
00
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
00
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
00
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
LimitSystemRestoreCheckpointing
00
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
DisableMSI
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
000
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
Debugger
<System>\dllcache\services.exe