W32/Brontok-E is a worm that attempts to spread itself by copying itself into other drives on the computer. It may also attempt to sends itself to addresses gathered from the infected computer by searching files.
W32/Brontok-E will also carry out a DoS attack on certain websites. It will also modify the Host files to prevent access to security related websites.
W32/Brontok-E will attempt to copy itself to various folders, and create a copy itslef under the same name of the folder. It will have the same icon as normal folder. When the file is executed, it will open the default "My Document" folder.
W32/Brontok-E is capable of collecting email addresses from files with the following extensions:
ASP, CFM, CSV, DOC, EML, HTM, HTML, PHP, TXT, WAB
W32/Brontok-E may arrive send itself with emails with from address of the following format:
Berita_???@kafegaul.com
GaulNews_???@kafegaul.com
Movie_???@playboy.com
HotNews_???@playboy.com
When first run W32/Brontok-E copies itself to:
<User>\Local Settings\Application Data\csrss.exe
<User>\Local Settings\Application Data\inetinfo.exe
<User>\Local Settings\Application Data\lsass.exe
<User>\Local Settings\Application Data\services.exe
<User>\Local Settings\Application Data\smss.exe
<User>\Start Menu\Programs\Startup\empty.pif
<Windows>\ShellNew\sempalong.exe
<Windows>\eksplorasi.exe
The following registry entries are created to run W32/Brontok-E on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Tok-Cirrhatus
<User>\Local Settings\Application Data\smss.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Bron-Spizaetus
<Windows>\ShellNew\sempalong.exe
The following registry entry is changed to run eksplorasi.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows>\eksplorasi.exe"
(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
The following registry entry is set, disabling various windows functions:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
W32/Brontok-E will restart the computer every time when finds a windows with the title that contains one of the following strings:
REGISTRY
SYSTEM CONFIGURATION
COMMAND PROMPT
.EXE
SHUT DOWN
SCRIPT HOST
LOG OFF WINDOWS
KILLBOX
TASKKILL
TASK KILL
HIJACK
BLEEPING