high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | December 2005 (4.00) |
| Protection available since | 23 October 2005 17:39:04 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Brontok-E is a worm that spreads by copying itself to network shares and by emailing itself to addresses harvested from files stored locally.
W32/Brontok-E includes functionality to:
- modify the HOSTS file in an attempt to prevent access to anti-virus and security related websites
- carry out DDoS attacks on selected websites
W32/Brontok-E may spoof the from field of emails that it sends using the addresses:
Berita_???@kafegaul.com
GaulNews_???@kafegaul.com
Movie_???@playboy.com
HotNews_???@playboy.com
where ??? is variable. W32/Brontok-E is a worm that spreads by copying itself to network shares and by emailing itself to addresses harvested from files stored locally.
W32/Brontok-E includes functionality to:
- modify the HOSTS file in an attempt to prevent access to anti-virus and security related websites
- carry out DDoS attacks on selected websites
W32/Brontok-E copies itself to various folders with a filename that consists of the folder name plus an extension of ".EXE", for example W32/Brontok-E may copy itself to C:\BIN\BIN.EXE. The new copy will have a standard folder icon and when executed will open the default "My Document" folder.
W32/Brontok-E collects email addresses from files that have extensions of: ASP, CFM, CSV, DOC, EML, HTM, HTML, PHP, TXT and WAB.
W32/Brontok-E may spoof the from field of emails that it sends using the addresses:
Berita_???@kafegaul.com
GaulNews_???@kafegaul.com
Movie_???@playboy.com
HotNews_???@playboy.com
where ??? is variable.
When first run W32/Brontok-E copies itself to:
<User>\Local Settings\Application Data\csrss.exe
<User>\Local Settings\Application Data\inetinfo.exe
<User>\Local Settings\Application Data\lsass.exe
<User>\Local Settings\Application Data\services.exe
<User>\Local Settings\Application Data\smss.exe
<User>\Start Menu\Programs\Startup\empty.pif
<Windows>\ShellNew\sempalong.exe
<Windows>\eksplorasi.exe
The following registry entries are created to run W32/Brontok-E on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Tok-Cirrhatus
<User>\Local Settings\Application Data\smss.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Bron-Spizaetus
<Windows>\ShellNew\sempalong.exe
The following registry entry is changed to run eksplorasi.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows>\eksplorasi.exe"
(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
The following registry entry is set, disabling various Windows functions:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
W32/Brontok-E will restart the computer if it finds an active Window with a title containing any of the following strings:
REGISTRY
SYSTEM CONFIGURATION
COMMAND PROMPT
.EXE
SHUT DOWN
SCRIPT HOST
LOG OFF WINDOWS
KILLBOX
TASKKILL
TASK KILL
HIJACK
BLEEPING
|
