high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 24 October 2005 08:17:51 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Brontok-C is an email worm that sends itself to the addresses gathered from the infected computer, skipping email addresses that contain the following strings :
PLASA,TELKOM,INDO,.CO.ID,.GO.ID,.MIL.ID,.SCH.ID,.NET.ID,.OR.ID,.AC.ID,.WEB.ID,.WAR.NET.ID,ASTAGA,GAUL,BOLEH,EMAILKU,SATU
W32/Brontok-C may arrive attached with a filename randomly chosed from the following :
winword.exe
kangen.exe
ccapps.exe
syslove.exe
untukmu.exe
myheart.exe
my heart.exe
jangan dibuka.exe
The email is sent with a blank subject line and the following message text :
-- Hentikan kebobrokan di negeri ini --
1. Penjarakan Koruptor, Penyelundup, Tukang Suap, & Bandar NARKOBA ( Send to "NUSAKAMBANGAN")
2. Stop Free Sex, Aborsi, & Prostitusi ( Go To HELL )
3. Stop pencemaran lingkungan, pembakaran hutan & perburuan liar.
4. SAY NO TO DRUGS !!!
-- KIAMAT SUDAH DEKAT --
Terinspirasi oleh: Elang Brontok (Spizaetus Cirrhatus) yang hampir punah
By: HVM31 -- JowoBot #VM Community --
!!! Akan Kubuat Mereka (VM lokal yg cengeng & bodoh) Terkapar !!!
When first run W32/Brontok-C copies itself to:
<User>\Local Settings\Application Data\csrss.exe
<User>\Local Settings\Application Data\inetinfo.exe
<User>\Local Settings\Application Data\lsass.exe
<User>\Local Settings\Application Data\services.exe
<User>\Local Settings\Application Data\smss.exe
<User>\Local Settings\Application Data\winlogon.exe
<Startup>\Empty.pif
<User>\Templates\Brengkolang.com
<Windows>\ShellNew\sempalong.exe
<Windows>\eksplorasi.exe
<System>\repclient1's Setting.scr
W32/Brontok-C will create a remote task in the following location in order to run a copy of itself on a daily basis to maintain infection :
<Windows>\Tasks\At1.job
W32/Brontok-C attempts to download files from a remote website to the following location :
<User>\Local Settings\Application Data\ListHost11.txt
<User>\Local Settings\Application Data\Update.11.Bron.Tok.bin
At the time of writing these files were unavailable from the remote website.
The following registry entries are created to run W32/Brontok-C on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Tok-Cirrhatus
<User>\Local Settings\Application Data\smss.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Bron-Spizaetus
<Windows>\ShellNew\sempalong.exe
The following registry entry is changed to run eksplorasi.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows>\eksplorasi.exe"
(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
The following registry entry is set, disabling the registry editor (regedit):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
|
