W32/Brontok-DX

Category: Viruses and Spyware Protection available since:25 Feb 2009 16:11:22 (GMT)
Type: Win32 worm Last Updated:25 Feb 2009 16:11:22 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Brontok-DX is an email worm for the Windows platform.

When first run W32/Brontok-DX copies itself to various locations on the local hard drive using the filenames of existing files. W32/Brontok-DX either overwrites existing files or copies itself using the filename of an existing file to a different folder.

The following registry entry is changed to run W32/Brontok-DX on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<pathname of a W32/Brontok-DX executable>"

W32/Brontok-DX creates new values under the following registry keys to run its copies on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy