W32/Brontok-E

Aliases	Email-Worm.Win32.Brontok.c W32/Rontokbro.gen@MM Worm.Mytob.GH
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email attachments
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	23 October 2005 17:39:04 (GMT)
Last updated	17 June 2009 23:14:44 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Brontok-E is a worm that attempts to spread itself by copying itself into other drives on the computer. It may also attempt to sends itself to addresses gathered from the infected computer by searching files.

W32/Brontok-E will also carry out a DoS attack on certain websites. It will also modify the Host files to prevent access to security related websites.

W32/Brontok-E will attempt to copy itself to various folders, and create a copy itslef under the same name of the folder. It will have the same icon as normal folder. When the file is executed, it will open the default "My Document" folder.

W32/Brontok-E is capable of collecting email addresses from files with the following extensions:

ASP, CFM, CSV, DOC, EML, HTM, HTML, PHP, TXT, WAB

W32/Brontok-E may arrive send itself with emails with from address of the following format:
Berita_???@kafegaul.com
GaulNews_???@kafegaul.com
Movie_???@playboy.com
HotNews_???@playboy.com

When first run W32/Brontok-E copies itself to:

<User>\Local Settings\Application Data\csrss.exe
<User>\Local Settings\Application Data\inetinfo.exe
<User>\Local Settings\Application Data\lsass.exe
<User>\Local Settings\Application Data\services.exe
<User>\Local Settings\Application Data\smss.exe
<User>\Start Menu\Programs\Startup\empty.pif
<Windows>\ShellNew\sempalong.exe
<Windows>\eksplorasi.exe

The following registry entries are created to run W32/Brontok-E on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Tok-Cirrhatus
<User>\Local Settings\Application Data\smss.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Bron-Spizaetus
<Windows>\ShellNew\sempalong.exe

The following registry entry is changed to run eksplorasi.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows>\eksplorasi.exe"

(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).

The following registry entry is set, disabling various windows functions:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

W32/Brontok-E will restart the computer every time when finds a windows with the title that contains one of the following strings:

REGISTRY
SYSTEM CONFIGURATION
COMMAND PROMPT
.EXE
SHUT DOWN
SCRIPT HOST
LOG OFF WINDOWS
KILLBOX
TASKKILL
TASK KILL
HIJACK
BLEEPING

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Sophos blogs

W32/Brontok-E

Summary

Action

More Information