high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 26 April 2006 12:37:16 (GMT) |
| Last updated | 8 November 2006 13:21:42 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please contact technical support.
More Information
W32/Brontok-AK is a mass-mailing worm for the Windows platform that sends itself to the addresses gathered from the infected computer.
When first run W32/Brontok-AK copies itself to the following locations :
<User>\Local Settings\Application Data\dv6122400x\yesbron.com
<User>\Local Settings\Application Data\jalak-931224015-bali.com
<Windows>\_default32142.pif
<Windows>\j6321422.exe
<Windows>\o4321427.exe
<Windows>\sa13188\ib6108.exe
<System>\c_32142k.com
<System>\n5817\b6108.exe
<System>\n5817\csrss.exe
<System>\n5817\lsass.exe
<System>\n5817\services.exe
<System>\n5817\smss.exe
<System>\n5817\sv711224030r.exe
<System>\n5817\winlogon.exe
The following non-malicious files are also created:
\Baca Bro !!!.txt
<Windows>\Tasks\At1.job
<Windows>\Tasks\At2.job
<System>\n5817\c.bron.tok.txt
<System>\Microsoft\Protect\s-1-5-18\User\Preferred
W32/Brontok-AK may install a new version of the file <System>\msvbvm60.dll.
The following registry entries are created to run yesbron.com, _default32142.pif, j6321422.exe and sv711224030r.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
y1959sar
<User>\Local Settings\Application Data\dv6122400x\yesbron.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
A5118r
<Windows>\_default32142.pif
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
y1959sar
<System>\n5817\sv711224030r.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
A5118r
<Windows>\j6321422.exe
The following registry entries are changed to run j6321422.exe and o4321427.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows>\o4321427.exe"
(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<Windows>\j6321422.exe
(the default value for this registry entry is "<Windows>\System32\userinit.exe,").
The following registry entry is set, disabling the registry editor (regedit):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Brontok
Message
Look @ "C:\Baca Bro !!!.txt"
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
Registry entries are created under:
HKCU\Software\Brontok\
|
