W32/Brontok-Z is a mass-mailing worm for the Windows platform.
W32/Brontok-Z sends itself to email addresses found on the infected computer.
Emails sent by the worm have the following characteristics:
From: angelina_ph@<recipient's domain>
or jennifer_sh@<recipient's domain>
If the recipient's address is Indonesian:
Subject: Fotoku yg Paling Cantik
Message text:
Hi,
Aku lg iseng aja pengen kirim foto ke kamu
Jangan lupain aku ya !.
Thanks
For all other addresses:
Subject: My Best Photo
Message text:
Hi,
I want to share my photo with you.
Wishing you all the best.
Regards,
Attachment name: Photo.zip
W32/Brontok-Z is a mass-mailing worm for the Windows platform.
W32/Brontok-Z sends itself to email addresses found on the infected computer.
Emails sent by the worm have the following characteristics:
From: angelina_ph@<recipient's domain>
or jennifer_sh@<recipient's domain>
If the recipient's address is Indonesian:
Subject: Fotoku yg Paling Cantik
Message text:
Hi,
Aku lg iseng aja pengen kirim foto ke kamu
Jangan lupain aku ya !.
Thanks
For all other addresses:
Subject: My Best Photo
Message text:
Hi,
I want to share my photo with you.
Wishing you all the best.
Regards,
Attachment name: Photo.zip
The zip file contains Photo.bmp and View-Photo.bat. View-Photo.bat runs Photo.bmp. Photo.bmp is an executable (currently detected as Troj/Dloadr-ADW) which attempts to download and execute a copy of the worm from a preconfigured website. At the time of writing, this website is unavailable.
When W32/Brontok-Z is installed it copies itself to the following locations:
<User>\Local Settings\Application Data\dv<random1>\yesbron.com
<User>\Local Settings\Application Data\jalak-<random2>-bali.com
<Windows system folder>\n<random3>\b6108.exe
<Windows system folder>\n<random3>\c.bron.tok.txt
<Windows system folder>\n<random3>\csrss.exe
<Windows system folder>\n<random3>\lsass.exe
<Windows system folder>\n<random3>\services.exe
<Windows system folder>\n<random3>\smss.exe
<Windows system folder>\n<random3>\sv<random4>r.exe
<Windows system folder>\n<random3>\winlogon.exe
<Windows system folder>\c_<random5>.com
<Windows folder>\j<random6>.exe
<Windows folder>\o<random7>.exe
<Windows folder>\_default<random8>.pif
<Windows folder>\<random9>\ib<random10>.exe
where <random1> etc. are randomly-chosen numbers
W32/Brontok-Z installs the following files:
\Baca Bro !!!.txt
<Windows folder>\Tasks\At1.job
<Windows folder>\Tasks\At2.job
The .job files each contain a scheduled task, instructing Windows to execute the installed copies of the worm once per day.
The .txt file, when opened, will cause the worm to display the following message:
######################### BRONTOK.C[22] #########################
-- Hentikanlah kebobrokan di negeri ini --
1. Penjarakan Koruptor, Penyelundup, Tukang Suap, & Bandar NARKOBA
( Send To NUSAKAMBANGAN )
2. Stop Free Sex, Aborsi, & Prostitusi
( Go To HELL )
3. Stop Pencemaran Alam, Pembakaran Hutan & Perburuan Liar.
4. SAY NO TO DRUGS !!!
-- Spizaetus Cirrhatus --
[ By JowoBot ]
+++++0000++++00000++++0000+++0+++++0++0000000+++0000+++0+++0+++++
+++++0++++0++0++++0++0++++0++00++++0+++++0+++++0++++0++0++0++++++
+++++0++++0++0++++0++0++++0++0+0+++0+++++0+++++0++++0++0+0+++++++
+++++00000+++00000+++0++++0++0++0++0+++++0+++++0++++0++00++++++++
+++++0++++0++0++0++++0++++0++0+++0+0+++++0+++++0++++0++0+0+++++++
+++++0++++0++0+++0+++0++++0++0++++00+++++0+++++0++++0++0++0++++++
+++++0000++++0++++0+++0000+++0+++++0+++++0++++++0000+++0+++0+++++
~~ Sedikit Jawaban u/ Membungkam Mulut Sesumbar 'Mereka' ~~
Nobron & Romdil = Otak Kosong, Mulut Besar, Cuma Bisa
Nobron = Satria Dungu = Nothing !!!
Romdil = Tukang Jiplak = Nothing !!!
Nobron & Romdil -->> Kicked by The Amazing Brontok
[ By JowoBot ]
W32/Brontok-Z closes windows whose titles contain any of the following:
task manager
registry
command prompt
system configuration
group policy
cmd.exe
computer management
scheduled task
killbox
hijack
SYSINTERNAL
PROCESS EXP
REMOVER
CLEANER
anti
washer
ertanto
BROWNIES
movzx
killer
pcmedia
pc-media
rontok
rontox
robknot
commander
windows script
norman
norton
symantec
cillin
trendmicro
bitdef
kaspersky
avg
avira
virus
trojan
worm
mcafee
b.e
folder option
wintask
alwil
sex
porn
naked
cewe
bugil
telanjang
nod32
task view
peid
ahnlab
W32/Brontok-Z adds entries to the system HOSTS file to prevent access to security-related domains.
W32/Brontok-Z may install a new version of the file <Windows system folder>\msvbvm60.dll.
The following registry entries are created to run the installed copies of the worm on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
<random>
<User>\Local Settings\Application Data\dv<random1>\yesbron.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
<random>
<Windows folder>\_default<random8>.pif
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random>
<Windows system folder>\n<random3>\sv<random4>r.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random>
<Windows folder>\j<random6>.exe
The following registry entries are changed to run j6321422.exe and o4321427.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows folder>\o<random7>.exe"
(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows folder>\Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<Windows system folder>\userinit.exe,<Windows folder>\<random6>.exe
(the default value for this registry entry is "<Windows folder>\System32\userinit.exe,").
The following registry entry is set, disabling the registry editor (regedit):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
Registry entries are created under:
HKCU\Software\Brontok\