high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | April 2006 (4.04) |
| Protection available since | 7 March 2006 21:16:42 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please contact technical support.
More Information
W32/Brontok-R is a mass-mailing worm for the Windows platform.
When W32/Brontok-R is installed the following files are created :
\Baca Bro !!!.txt
<User>\Local Settings\Application Data\dv6122400x\yesbron.com
<User>\Local Settings\Application Data\jalak-931224015-bali.com
<Windows>\Tasks\At1.job
<Windows>\Tasks\At2.job
<Windows>\_default32142.pif
<Windows>\cinderawasih-4321427.exe
<Windows>\komodo-6321422.exe
<Windows>\sa13188\smss.exe
<System>\c_32142k.com
<System>\n5817\c.bron.tok.txt
<System>\n5817\csrss.exe
<System>\n5817\lsass.exe
<System>\n5817\services.exe
<System>\n5817\smss.exe
<System>\n5817\sv711224030r.exe
<System>\n5817\winlogon.exe
W32/Brontok-R will attempt to send itself to addresses gathered from the infected computer, using the following subject lines :
'Subject: My Photo on Paris'
'Subject: Foto Liburanku di Bali'
The message text is chosen from the following :
'This photo was taken from my vacation on Paris, last week.'
'Wishing you always remember me.'
'Regards,'
'Halo Sobat,'
'Ini fotoku saat liburan di Bali.'
'Semoga kamu jadi ingat aku terus.'
'Terima kasih,'
The following registry entries are created to run yesbron.com, _default32142.pif, komodo-6321422.exe and sv711224030r.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
Tok-Cirrhatus-1959sarc
<User>\Local Settings\Application Data\dv6122400x\yesbron.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
Bron-Spizaetus-5118REPM
<Windows>\_default32142.pif
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Tok-Cirrhatus-1959sarc
<System>\n5817\sv711224030r.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Bron-Spizaetus-5118REPM
<Windows>\komodo-6321422.exe
The following registry entries are changed to run cinderawasih-4321427.exe and komodo-6321422.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows>\cinderawasih-4321427.exe"
(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<Windows>\komodo-6321422.exe
(the default value for this registry entry is "<Windows>\System32\userinit.exe,").
The following registry entry is set, disabling the registry editor (regedit):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
|
