W32/Brontok-AQ is a mass-mailing worm for the Windows platform.
W32/Brontok-AQ sends itself to email addresses found on the infected computer.
Emails sent by the worm have the following characteristics:
From:
dewi_21@cbn.net.id
ratna_19@rad.net.id
claudia_21@aol.com
angelina_19@attglobal.net
If the recipient's address is Indonesian:
Subject: Fotoku yg Paling Cantik
Message text:
Hi,
Aku lg iseng aja pengen kirim foto ke kamu
Jangan lupain aku ya !.
Thanks
For all other addresses:
Subject: My Best Photo
Message text:
Hi,
I want to share my photo with you.
Wishing you all the best.
Regards,
Attachment name: Photo.zip
The zip file contains Photo.bmp and View-Photo.bat. View-Photo.bat runs Photo.bmp.
Photo.bmp is an executable (currently detected as Troj/DwnLdr-BWB) which attempts to download and execute a copy of the worm from a preconfigured website. At the time of writing, this website is unavailable.
W32/Brontok-AQ is a mass-mailing worm for the Windows platform.
W32/Brontok-AQ sends itself to email addresses found on the infected computer.
Emails sent by the worm have the following characteristics:
From:
dewi_21@cbn.net.id
ratna_19@rad.net.id
claudia_21@aol.com
angelina_19@attglobal.net
If the recipient's address is Indonesian:
Subject: Fotoku yg Paling Cantik
Message text:
Hi,
Aku lg iseng aja pengen kirim foto ke kamu
Jangan lupain aku ya !.
Thanks
For all other addresses:
Subject: My Best Photo
Message text:
Hi,
I want to share my photo with you.
Wishing you all the best.
Regards,
Attachment name: Photo.zip
The zip file contains Photo.bmp and View-Photo.bat. View-Photo.bat runs Photo.bmp.
Photo.bmp is an executable (currently detected as Troj/DwnLdr-BWB) which attempts to download and execute a copy of the worm from a preconfigured website. At the time of writing, this website is unavailable.
W32/Brontok-AQ closes windows whose titles contain any of the following:
wintask
folder option
trojan
windows script
commander
pc-media
killer
ertanto
CLEANER
REMOVER
PROCESS EXP
SYSINTERNAL
killbox
scheduled task
computer management
cmd.exe
group policy
system configuration
command prompt
registry
baca bro !!!
task manager
When first run W32/Brontok-AQ copies itself to:
<User>\Local Settings\Application Data\dv<random>\yesbron.com
<User>\Local Settings\Application Data\jalak<random>.com
<Windows>\_default<random>.pif
<Windows>\j<random>.exe
<Windows>\o<random>.exe
<Windows>\sa<random>\ib<random>.exe
<System>\c<random>.com
<System>\n<random>\b<random>.exe
<System>\n<random>\csrss.exe
<System>\n<random>\lsass.exe
<System>\n<random>\services.exe
<System>\n<random>\smss.exe
<System>\n<random>\sv<random>.exe
<System>\n<random>\winlogon.exe
where <random> is a sequence of randomly generated numbers.
and creates the following files:
Baca Bro !!!.txt
<Windows>\Tasks\At1.job
<Windows>\Tasks\At2.job
<System>\n5817\c.bron.tok.txt
These files can be deleted.
The .job files each contain a scheduled task, instructing Windows to execute the installed copies of the worm once per day.
W32/Brontok-AQ may install a new version of the file <System>\msvbvm60.dll.
The following registry entries are created to run yesbron.com, _default<random>.pif, j<random>.exe and sv<random>.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
<random characters>
<User>\Local Settings\Application Data\dv<random>\yesbron.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
<random characters>
<Windows>\_default<random>.pif
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random characters>
<System>\n<random>\sv<random>.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random characters>
<Windows>\j<random>.exe
The following registry entries are changed to run j<random>.exe and o<random>.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows>\o<random>.exe"
(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<Windows>\j<random>.exe
(the default value for this registry entry is "<Windows>\System32\userinit.exe,").
The following registry entry is set, disabling the registry editor (regedit):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Brontok
Message
Look @ "C:\Baca Bro !!!.txt"
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
Registry entries are created under:
HKCU\Software\Brontok\
W32/Brontok-AQ also overwrites the HOSTS file with the following mappings:
127.0.0.21 mcafee.com
127.0.0.21 www.mcafee.com
127.0.0.21 mcafee.net
127.0.0.21 www.mcafee.net
127.0.0.21 mcafee.org
127.0.0.21 www.mcafee.org
127.0.0.21 mcafeesecurity.com
127.0.0.21 www.mcafeesecurity.com
127.0.0.21 mcafeesecurity.net
127.0.0.21 www.mcafeesecurity.net
127.0.0.21 mcafeesecurity.org
127.0.0.21 www.mcafeesecurity.org
127.0.0.21 mcafeeb2b.com
127.0.0.21 www.mcafeeb2b.com
127.0.0.21 mcafeeb2b.net
127.0.0.21 www.mcafeeb2b.net
127.0.0.21 mcafeeb2b.org
127.0.0.21 www.mcafeeb2b.org
127.0.0.21 nai.com
127.0.0.21 www.nai.com
127.0.0.21 nai.net
127.0.0.21 www.nai.net
127.0.0.21 nai.org
127.0.0.21 www.nai.org
127.0.0.21 vil.nai.com
127.0.0.21 www.vil.nai.com
127.0.0.21 vil.nai.net
127.0.0.21 www.vil.nai.net
127.0.0.21 vil.nai.org
127.0.0.21 www.vil.nai.org
127.0.0.21 grisoft.com
127.0.0.21 www.grisoft.com
127.0.0.21 grisoft.net
127.0.0.21 www.grisoft.net
127.0.0.21 grisoft.org
127.0.0.21 www.grisoft.org
127.0.0.21 kaspersky-labs.com
127.0.0.21 www.kaspersky-labs.com
127.0.0.21 kaspersky-labs.net
127.0.0.21 www.kaspersky-labs.net
127.0.0.21 kaspersky-labs.org
127.0.0.21 www.kaspersky-labs.org
127.0.0.21 kaspersky.com
127.0.0.21 www.kaspersky.com
127.0.0.21 kaspersky.net
127.0.0.21 www.kaspersky.net
127.0.0.21 kaspersky.org
127.0.0.21 www.kaspersky.org
127.0.0.21 downloads1.kaspersky-labs.com
127.0.0.21 www.downloads1.kaspersky-labs.com
127.0.0.21 downloads1.kaspersky-labs.net
127.0.0.21 www.downloads1.kaspersky-labs.net
127.0.0.21 downloads1.kaspersky-labs.org
127.0.0.21 www.downloads1.kaspersky-labs.org
127.0.0.21 downloads2.kaspersky-labs.com
127.0.0.21 www.downloads2.kaspersky-labs.com
127.0.0.21 downloads2.kaspersky-labs.net
127.0.0.21 www.downloads2.kaspersky-labs.net
127.0.0.21 downloads2.kaspersky-labs.org
127.0.0.21 www.downloads2.kaspersky-labs.org
127.0.0.21 downloads3.kaspersky-labs.com
127.0.0.21 www.downloads3.kaspersky-labs.com
127.0.0.21 downloads3.kaspersky-labs.net
127.0.0.21 www.downloads3.kaspersky-labs.net
127.0.0.21 downloads3.kaspersky-labs.org
127.0.0.21 www.downloads3.kaspersky-labs.org
127.0.0.21 downloads4.kaspersky-labs.com
127.0.0.21 www.downloads4.kaspersky-labs.com
127.0.0.21 downloads4.kaspersky-labs.net
127.0.0.21 www.downloads4.kaspersky-labs.net
127.0.0.21 downloads4.kaspersky-labs.org
127.0.0.21 www.downloads4.kaspersky-labs.org
127.0.0.21 download.mcafee.com
127.0.0.21 www.download.mcafee.com
127.0.0.21 download.mcafee.net
127.0.0.21 www.download.mcafee.net
127.0.0.21 download.mcafee.org
127.0.0.21 www.download.mcafee.org
127.0.0.21 norton.com
127.0.0.21 www.norton.com
127.0.0.21 norton.net
127.0.0.21 www.norton.net
127.0.0.21 norton.org
127.0.0.21 www.norton.org
127.0.0.21 symantec.com
127.0.0.21 www.symantec.com
127.0.0.21 symantec.net
127.0.0.21 www.symantec.net
127.0.0.21 symantec.org
127.0.0.21 www.symantec.org
127.0.0.21 liveupdate.symantecliveupdate.com
127.0.0.21 www.liveupdate.symantecliveupdate.com
127.0.0.21 liveupdate.symantecliveupdate.net
127.0.0.21 www.liveupdate.symantecliveupdate.net
127.0.0.21 liveupdate.symantecliveupdate.org
127.0.0.21 www.liveupdate.symantecliveupdate.org
127.0.0.21 liveupdate.symantec.com
127.0.0.21 www.liveupdate.symantec.com
127.0.0.21 liveupdate.symantec.net
127.0.0.21 www.liveupdate.symantec.net
127.0.0.21 liveupdate.symantec.org
127.0.0.21 www.liveupdate.symantec.org
127.0.0.21 update.symantec.com
127.0.0.21 www.update.symantec.com
127.0.0.21 update.symantec.net
127.0.0.21 www.update.symantec.net
127.0.0.21 update.symantec.org
127.0.0.21 www.update.symantec.org
127.0.0.21 securityresponse.symantec.com
127.0.0.21 www.securityresponse.symantec.com
127.0.0.21 securityresponse.symantec.net
127.0.0.21 www.securityresponse.symantec.net
127.0.0.21 securityresponse.symantec.org
127.0.0.21 www.securityresponse.symantec.org
127.0.0.21 sarc.com
127.0.0.21 www.sarc.com
127.0.0.21 sarc.net
127.0.0.21 www.sarc.net
127.0.0.21 sarc.org
127.0.0.21 www.sarc.org
127.0.0.21 vaksin.com
127.0.0.21 www.vaksin.com
127.0.0.21 vaksin.net
127.0.0.21 www.vaksin.net
127.0.0.21 vaksin.org
127.0.0.21 www.vaksin.org
127.0.0.21 forum.vaksin.com
127.0.0.21 www.forum.vaksin.com
127.0.0.21 forum.vaksin.net
127.0.0.21 www.forum.vaksin.net
127.0.0.21 forum.vaksin.org
127.0.0.21 www.forum.vaksin.org
127.0.0.21 norman.com
127.0.0.21 www.norman.com
127.0.0.21 norman.net
127.0.0.21 www.norman.net
127.0.0.21 norman.org
127.0.0.21 www.norman.org
127.0.0.21 trendmicro.com
127.0.0.21 www.trendmicro.com
127.0.0.21 trendmicro.net
127.0.0.21 www.trendmicro.net
127.0.0.21 trendmicro.org
127.0.0.21 www.trendmicro.org
127.0.0.21 trendmicro-europe.com
127.0.0.21 www.trendmicro-europe.com
127.0.0.21 trendmicro-europe.net
127.0.0.21 www.trendmicro-europe.net
127.0.0.21 trendmicro-europe.org
127.0.0.21 www.trendmicro-europe.org
127.0.0.21 ae.trendmicro-europe.com
127.0.0.21 www.ae.trendmicro-europe.com
127.0.0.21 ae.trendmicro-europe.net
127.0.0.21 www.ae.trendmicro-europe.net
127.0.0.21 ae.trendmicro-europe.org
127.0.0.21 www.ae.trendmicro-europe.org
127.0.0.21 it.trendmicro-europe.com
127.0.0.21 www.it.trendmicro-europe.com
127.0.0.21 it.trendmicro-europe.net
127.0.0.21 www.it.trendmicro-europe.net
127.0.0.21 it.trendmicro-europe.org
127.0.0.21 www.it.trendmicro-europe.org
127.0.0.21 secunia.com
127.0.0.21 www.secunia.com
127.0.0.21 secunia.net
127.0.0.21 www.secunia.net
127.0.0.21 secunia.org
127.0.0.21 www.secunia.org
127.0.0.21 winantivirus.com
127.0.0.21 www.winantivirus.com
127.0.0.21 winantivirus.net
127.0.0.21 www.winantivirus.net
127.0.0.21 winantivirus.org
127.0.0.21 www.winantivirus.org
127.0.0.21 pandasoftware.com
127.0.0.21 www.pandasoftware.com
127.0.0.21 pandasoftware.net
127.0.0.21 www.pandasoftware.net
127.0.0.21 pandasoftware.org
127.0.0.21 www.pandasoftware.org
127.0.0.21 esafe.com
127.0.0.21 www.esafe.com
127.0.0.21 esafe.net
127.0.0.21 www.esafe.net
127.0.0.21 esafe.org
127.0.0.21 www.esafe.org
127.0.0.21 f-secure.com
127.0.0.21 www.f-secure.com
127.0.0.21 f-secure.net
127.0.0.21 www.f-secure.net
127.0.0.21 f-secure.org
127.0.0.21 www.f-secure.org
127.0.0.21 europe.f-secure.com
127.0.0.21 www.europe.f-secure.com
127.0.0.21 europe.f-secure.net
127.0.0.21 www.europe.f-secure.net
127.0.0.21 europe.f-secure.org
127.0.0.21 www.europe.f-secure.org
127.0.0.21 bhs.com
127.0.0.21 www.bhs.com
127.0.0.21 bhs.net
127.0.0.21 www.bhs.net
127.0.0.21 bhs.org
127.0.0.21 www.bhs.org
127.0.0.21 datafellows.com
127.0.0.21 www.datafellows.com
127.0.0.21 datafellows.net
127.0.0.21 www.datafellows.net
127.0.0.21 datafellows.org
127.0.0.21 www.datafellows.org
127.0.0.21 cheyenne.com
127.0.0.21 www.cheyenne.com
127.0.0.21 cheyenne.net
127.0.0.21 www.cheyenne.net
127.0.0.21 cheyenne.org
127.0.0.21 www.cheyenne.org
127.0.0.21 ontrack.com
127.0.0.21 www.ontrack.com
127.0.0.21 ontrack.net
127.0.0.21 www.ontrack.net
127.0.0.21 ontrack.org
127.0.0.21 www.ontrack.org
127.0.0.21 sands.com
127.0.0.21 www.sands.com
127.0.0.21 sands.net
127.0.0.21 www.sands.net
127.0.0.21 sands.org
127.0.0.21 www.sands.org
127.0.0.21 sophos.com
127.0.0.21 www.sophos.com
127.0.0.21 sophos.net
127.0.0.21 www.sophos.net
127.0.0.21 sophos.org
127.0.0.21 www.sophos.org
127.0.0.21 icubed.com
127.0.0.21 www.icubed.com
127.0.0.21 icubed.net
127.0.0.21 www.icubed.net
127.0.0.21 icubed.org
127.0.0.21 www.icubed.org
127.0.0.21 perantivirus.com
127.0.0.21 www.perantivirus.com
127.0.0.21 perantivirus.net
127.0.0.21 www.perantivirus.net
127.0.0.21 perantivirus.org
127.0.0.21 www.perantivirus.org
127.0.0.21 castlecops.com
127.0.0.21 www.castlecops.com
127.0.0.21 castlecops.net
127.0.0.21 www.castlecops.net
127.0.0.21 castlecops.org
127.0.0.21 www.castlecops.org
127.0.0.21 virustotal.com
127.0.0.21 www.virustotal.com
127.0.0.21 virustotal.net
127.0.0.21 www.virustotal.net
127.0.0.21 virustotal.org
127.0.0.21 www.virustotal.org
127.0.0.21 free-av.com
127.0.0.21 www.free-av.com
127.0.0.21 free-av.net
127.0.0.21 www.free-av.net
127.0.0.21 free-av.org
127.0.0.21 www.free-av.org
127.0.0.21 antivirus.com
127.0.0.21 www.antivirus.com
127.0.0.21 antivirus.net
127.0.0.21 www.antivirus.net
127.0.0.21 antivirus.org
127.0.0.21 www.antivirus.org
127.0.0.21 anti-virus.com
127.0.0.21 www.anti-virus.com
127.0.0.21 anti-virus.net
127.0.0.21 www.anti-virus.net
127.0.0.21 anti-virus.org
127.0.0.21 www.anti-virus.org
127.0.0.21 ca.com
127.0.0.21 www.ca.com
127.0.0.21 ca.net
127.0.0.21 www.ca.net
127.0.0.21 ca.org
127.0.0.21 www.ca.org
127.0.0.21 fajarweb.com
127.0.0.21 www.fajarweb.com
127.0.0.21 fajarweb.net
127.0.0.21 www.fajarweb.net
127.0.0.21 fajarweb.org
127.0.0.21 www.fajarweb.org
127.0.0.21 jasakom.com
127.0.0.21 www.jasakom.com
127.0.0.21 jasakom.net
127.0.0.21 www.jasakom.net
127.0.0.21 jasakom.org
127.0.0.21 www.jasakom.org
127.0.0.21 backup.grisoft.com
127.0.0.21 www.backup.grisoft.com
127.0.0.21 backup.grisoft.net
127.0.0.21 www.backup.grisoft.net
127.0.0.21 backup.grisoft.org
127.0.0.21 www.backup.grisoft.org
127.0.0.21 infokomputer.com
127.0.0.21 www.infokomputer.com
127.0.0.21 infokomputer.net
127.0.0.21 www.infokomputer.net
127.0.0.21 infokomputer.org
127.0.0.21 www.infokomputer.org
127.0.0.21 playboy.com
127.0.0.21 www.playboy.com
127.0.0.21 playboy.net
127.0.0.21 www.playboy.net
127.0.0.21 playboy.org
127.0.0.21 www.playboy.org
127.0.0.21 sex-mission.com
127.0.0.21 www.sex-mission.com
127.0.0.21 sex-mission.net
127.0.0.21 www.sex-mission.net
127.0.0.21 sex-mission.org
127.0.0.21 www.sex-mission.org
127.0.0.21 pornstargals.com
127.0.0.21 www.pornstargals.com
127.0.0.21 pornstargals.net
127.0.0.21 www.pornstargals.net
127.0.0.21 pornstargals.org
127.0.0.21 www.pornstargals.org
127.0.0.21 kaskus.com
127.0.0.21 www.kaskus.com
127.0.0.21 kaskus.net
127.0.0.21 www.kaskus.net
127.0.0.21 kaskus.org
127.0.0.21 www.kaskus.org
127.0.0.21 17tahun.com
127.0.0.21 www.17tahun.com
127.0.0.21 17tahun.net
127.0.0.21 www.17tahun.net
127.0.0.21 17tahun.org
127.0.0.21 www.17tahun.org
127.0.0.21 padinet.com
127.0.0.21 www.padinet.com
127.0.0.21 padinet.net
127.0.0.21 www.padinet.net
127.0.0.21 padinet.org
127.0.0.21 www.padinet.org
127.0.0.21 jeruk.padinet.com
127.0.0.21 www.jeruk.padinet.com
127.0.0.21 jeruk.padinet.net
127.0.0.21 www.jeruk.padinet.net
127.0.0.21 jeruk.padinet.org
127.0.0.21 www.jeruk.padinet.org
127.0.0.21 compactbyte.com
127.0.0.21 www.compactbyte.com
127.0.0.21 compactbyte.net
127.0.0.21 www.compactbyte.net
127.0.0.21 compactbyte.org
127.0.0.21 www.compactbyte.org
127.0.0.21 blog.compactbyte.com
127.0.0.21 www.blog.compactbyte.com
127.0.0.21 blog.compactbyte.net
127.0.0.21 www.blog.compactbyte.net
127.0.0.21 blog.compactbyte.org
127.0.0.21 www.blog.compactbyte.org
127.0.0.21 blogs.compactbyte.com
127.0.0.21 www.blogs.compactbyte.com
127.0.0.21 blogs.compactbyte.net
127.0.0.21 www.blogs.compactbyte.net
127.0.0.21 blogs.compactbyte.org
127.0.0.21 www.blogs.compactbyte.org