W32/Brontok-AQ

Category: Viruses and Spyware Protection available since:17 May 2006 00:00:00 (GMT)
Type: Win32 worm Last Updated:17 May 2006 00:00:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Brontok-AQ is a mass-mailing worm for the Windows platform.

W32/Brontok-AQ sends itself to email addresses found on the infected computer.

Emails sent by the worm have the following characteristics:

From:

dewi_21@cbn.net.id
ratna_19@rad.net.id
claudia_21@aol.com
angelina_19@attglobal.net

If the recipient's address is Indonesian:

Subject: Fotoku yg Paling Cantik

Message text:

Hi,
Aku lg iseng aja pengen kirim foto ke kamu
Jangan lupain aku ya !.

Thanks

For all other addresses:

Subject: My Best Photo

Message text:

Hi,
I want to share my photo with you.
Wishing you all the best.

Regards,

Attachment name: Photo.zip

The zip file contains Photo.bmp and View-Photo.bat. View-Photo.bat runs Photo.bmp.

Photo.bmp is an executable (currently detected as Troj/DwnLdr-BWB) which attempts to download and execute a copy of the worm from a preconfigured website. At the time of writing, this website is unavailable. W32/Brontok-AQ is a mass-mailing worm for the Windows platform.

W32/Brontok-AQ sends itself to email addresses found on the infected computer.

Emails sent by the worm have the following characteristics:

From:

dewi_21@cbn.net.id
ratna_19@rad.net.id
claudia_21@aol.com
angelina_19@attglobal.net

If the recipient's address is Indonesian:

Subject: Fotoku yg Paling Cantik

Message text:

Hi,
Aku lg iseng aja pengen kirim foto ke kamu
Jangan lupain aku ya !.

Thanks

For all other addresses:

Subject: My Best Photo

Message text:

Hi,
I want to share my photo with you.
Wishing you all the best.

Regards,

Attachment name: Photo.zip

The zip file contains Photo.bmp and View-Photo.bat. View-Photo.bat runs Photo.bmp.

Photo.bmp is an executable (currently detected as Troj/DwnLdr-BWB) which attempts to download and execute a copy of the worm from a preconfigured website. At the time of writing, this website is unavailable.

W32/Brontok-AQ closes windows whose titles contain any of the following:

wintask
folder option
trojan
windows script
commander
pc-media
killer
ertanto
CLEANER
REMOVER
PROCESS EXP
SYSINTERNAL
killbox
scheduled task
computer management
cmd.exe
group policy
system configuration
command prompt
registry
baca bro !!!
task manager

When first run W32/Brontok-AQ copies itself to:

<User>\Local Settings\Application Data\dv<random>\yesbron.com
<User>\Local Settings\Application Data\jalak<random>.com
<Windows>\_default<random>.pif
<Windows>\j<random>.exe
<Windows>\o<random>.exe
<Windows>\sa<random>\ib<random>.exe
<System>\c<random>.com
<System>\n<random>\b<random>.exe
<System>\n<random>\csrss.exe
<System>\n<random>\lsass.exe
<System>\n<random>\services.exe
<System>\n<random>\smss.exe
<System>\n<random>\sv<random>.exe
<System>\n<random>\winlogon.exe

where <random> is a sequence of randomly generated numbers.

and creates the following files:

Baca Bro !!!.txt
<Windows>\Tasks\At1.job
<Windows>\Tasks\At2.job
<System>\n5817\c.bron.tok.txt

These files can be deleted.

The .job files each contain a scheduled task, instructing Windows to execute the installed copies of the worm once per day.

W32/Brontok-AQ may install a new version of the file <System>\msvbvm60.dll.

The following registry entries are created to run yesbron.com, _default<random>.pif, j<random>.exe and sv<random>.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
<random characters>
<User>\Local Settings\Application Data\dv<random>\yesbron.com

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
<random characters>
<Windows>\_default<random>.pif

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random characters>
<System>\n<random>\sv<random>.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random characters>
<Windows>\j<random>.exe

The following registry entries are changed to run j<random>.exe and o<random>.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows>\o<random>.exe"

(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<Windows>\j<random>.exe

(the default value for this registry entry is "<Windows>\System32\userinit.exe,").

The following registry entry is set, disabling the registry editor (regedit):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

Registry entries are set as follows:

HKCU\Software\Brontok
Message
Look @ "C:\Baca Bro !!!.txt"

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

Registry entries are created under:

HKCU\Software\Brontok\

W32/Brontok-AQ also overwrites the HOSTS file with the following mappings:

127.0.0.21 mcafee.com
127.0.0.21 www.mcafee.com
127.0.0.21 mcafee.net
127.0.0.21 www.mcafee.net
127.0.0.21 mcafee.org
127.0.0.21 www.mcafee.org
127.0.0.21 mcafeesecurity.com
127.0.0.21 www.mcafeesecurity.com
127.0.0.21 mcafeesecurity.net
127.0.0.21 www.mcafeesecurity.net
127.0.0.21 mcafeesecurity.org
127.0.0.21 www.mcafeesecurity.org
127.0.0.21 mcafeeb2b.com
127.0.0.21 www.mcafeeb2b.com
127.0.0.21 mcafeeb2b.net
127.0.0.21 www.mcafeeb2b.net
127.0.0.21 mcafeeb2b.org
127.0.0.21 www.mcafeeb2b.org
127.0.0.21 nai.com
127.0.0.21 www.nai.com
127.0.0.21 nai.net
127.0.0.21 www.nai.net
127.0.0.21 nai.org
127.0.0.21 www.nai.org
127.0.0.21 vil.nai.com
127.0.0.21 www.vil.nai.com
127.0.0.21 vil.nai.net
127.0.0.21 www.vil.nai.net
127.0.0.21 vil.nai.org
127.0.0.21 www.vil.nai.org
127.0.0.21 grisoft.com
127.0.0.21 www.grisoft.com
127.0.0.21 grisoft.net
127.0.0.21 www.grisoft.net
127.0.0.21 grisoft.org
127.0.0.21 www.grisoft.org
127.0.0.21 kaspersky-labs.com
127.0.0.21 www.kaspersky-labs.com
127.0.0.21 kaspersky-labs.net
127.0.0.21 www.kaspersky-labs.net
127.0.0.21 kaspersky-labs.org
127.0.0.21 www.kaspersky-labs.org
127.0.0.21 kaspersky.com
127.0.0.21 www.kaspersky.com
127.0.0.21 kaspersky.net
127.0.0.21 www.kaspersky.net
127.0.0.21 kaspersky.org
127.0.0.21 www.kaspersky.org
127.0.0.21 downloads1.kaspersky-labs.com
127.0.0.21 www.downloads1.kaspersky-labs.com
127.0.0.21 downloads1.kaspersky-labs.net
127.0.0.21 www.downloads1.kaspersky-labs.net
127.0.0.21 downloads1.kaspersky-labs.org
127.0.0.21 www.downloads1.kaspersky-labs.org
127.0.0.21 downloads2.kaspersky-labs.com
127.0.0.21 www.downloads2.kaspersky-labs.com
127.0.0.21 downloads2.kaspersky-labs.net
127.0.0.21 www.downloads2.kaspersky-labs.net
127.0.0.21 downloads2.kaspersky-labs.org
127.0.0.21 www.downloads2.kaspersky-labs.org
127.0.0.21 downloads3.kaspersky-labs.com
127.0.0.21 www.downloads3.kaspersky-labs.com
127.0.0.21 downloads3.kaspersky-labs.net
127.0.0.21 www.downloads3.kaspersky-labs.net
127.0.0.21 downloads3.kaspersky-labs.org
127.0.0.21 www.downloads3.kaspersky-labs.org
127.0.0.21 downloads4.kaspersky-labs.com
127.0.0.21 www.downloads4.kaspersky-labs.com
127.0.0.21 downloads4.kaspersky-labs.net
127.0.0.21 www.downloads4.kaspersky-labs.net
127.0.0.21 downloads4.kaspersky-labs.org
127.0.0.21 www.downloads4.kaspersky-labs.org
127.0.0.21 download.mcafee.com
127.0.0.21 www.download.mcafee.com
127.0.0.21 download.mcafee.net
127.0.0.21 www.download.mcafee.net
127.0.0.21 download.mcafee.org
127.0.0.21 www.download.mcafee.org
127.0.0.21 norton.com
127.0.0.21 www.norton.com
127.0.0.21 norton.net
127.0.0.21 www.norton.net
127.0.0.21 norton.org
127.0.0.21 www.norton.org
127.0.0.21 symantec.com
127.0.0.21 www.symantec.com
127.0.0.21 symantec.net
127.0.0.21 www.symantec.net
127.0.0.21 symantec.org
127.0.0.21 www.symantec.org
127.0.0.21 liveupdate.symantecliveupdate.com
127.0.0.21 www.liveupdate.symantecliveupdate.com
127.0.0.21 liveupdate.symantecliveupdate.net
127.0.0.21 www.liveupdate.symantecliveupdate.net
127.0.0.21 liveupdate.symantecliveupdate.org
127.0.0.21 www.liveupdate.symantecliveupdate.org
127.0.0.21 liveupdate.symantec.com
127.0.0.21 www.liveupdate.symantec.com
127.0.0.21 liveupdate.symantec.net
127.0.0.21 www.liveupdate.symantec.net
127.0.0.21 liveupdate.symantec.org
127.0.0.21 www.liveupdate.symantec.org
127.0.0.21 update.symantec.com
127.0.0.21 www.update.symantec.com
127.0.0.21 update.symantec.net
127.0.0.21 www.update.symantec.net
127.0.0.21 update.symantec.org
127.0.0.21 www.update.symantec.org
127.0.0.21 securityresponse.symantec.com
127.0.0.21 www.securityresponse.symantec.com
127.0.0.21 securityresponse.symantec.net
127.0.0.21 www.securityresponse.symantec.net
127.0.0.21 securityresponse.symantec.org
127.0.0.21 www.securityresponse.symantec.org
127.0.0.21 sarc.com
127.0.0.21 www.sarc.com
127.0.0.21 sarc.net
127.0.0.21 www.sarc.net
127.0.0.21 sarc.org
127.0.0.21 www.sarc.org
127.0.0.21 vaksin.com
127.0.0.21 www.vaksin.com
127.0.0.21 vaksin.net
127.0.0.21 www.vaksin.net
127.0.0.21 vaksin.org
127.0.0.21 www.vaksin.org
127.0.0.21 forum.vaksin.com
127.0.0.21 www.forum.vaksin.com
127.0.0.21 forum.vaksin.net
127.0.0.21 www.forum.vaksin.net
127.0.0.21 forum.vaksin.org
127.0.0.21 www.forum.vaksin.org
127.0.0.21 norman.com
127.0.0.21 www.norman.com
127.0.0.21 norman.net
127.0.0.21 www.norman.net
127.0.0.21 norman.org
127.0.0.21 www.norman.org
127.0.0.21 trendmicro.com
127.0.0.21 www.trendmicro.com
127.0.0.21 trendmicro.net
127.0.0.21 www.trendmicro.net
127.0.0.21 trendmicro.org
127.0.0.21 www.trendmicro.org
127.0.0.21 trendmicro-europe.com
127.0.0.21 www.trendmicro-europe.com
127.0.0.21 trendmicro-europe.net
127.0.0.21 www.trendmicro-europe.net
127.0.0.21 trendmicro-europe.org
127.0.0.21 www.trendmicro-europe.org
127.0.0.21 ae.trendmicro-europe.com
127.0.0.21 www.ae.trendmicro-europe.com
127.0.0.21 ae.trendmicro-europe.net
127.0.0.21 www.ae.trendmicro-europe.net
127.0.0.21 ae.trendmicro-europe.org
127.0.0.21 www.ae.trendmicro-europe.org
127.0.0.21 it.trendmicro-europe.com
127.0.0.21 www.it.trendmicro-europe.com
127.0.0.21 it.trendmicro-europe.net
127.0.0.21 www.it.trendmicro-europe.net
127.0.0.21 it.trendmicro-europe.org
127.0.0.21 www.it.trendmicro-europe.org
127.0.0.21 secunia.com
127.0.0.21 www.secunia.com
127.0.0.21 secunia.net
127.0.0.21 www.secunia.net
127.0.0.21 secunia.org
127.0.0.21 www.secunia.org
127.0.0.21 winantivirus.com
127.0.0.21 www.winantivirus.com
127.0.0.21 winantivirus.net
127.0.0.21 www.winantivirus.net
127.0.0.21 winantivirus.org
127.0.0.21 www.winantivirus.org
127.0.0.21 pandasoftware.com
127.0.0.21 www.pandasoftware.com
127.0.0.21 pandasoftware.net
127.0.0.21 www.pandasoftware.net
127.0.0.21 pandasoftware.org
127.0.0.21 www.pandasoftware.org
127.0.0.21 esafe.com
127.0.0.21 www.esafe.com
127.0.0.21 esafe.net
127.0.0.21 www.esafe.net
127.0.0.21 esafe.org
127.0.0.21 www.esafe.org
127.0.0.21 f-secure.com
127.0.0.21 www.f-secure.com
127.0.0.21 f-secure.net
127.0.0.21 www.f-secure.net
127.0.0.21 f-secure.org
127.0.0.21 www.f-secure.org
127.0.0.21 europe.f-secure.com
127.0.0.21 www.europe.f-secure.com
127.0.0.21 europe.f-secure.net
127.0.0.21 www.europe.f-secure.net
127.0.0.21 europe.f-secure.org
127.0.0.21 www.europe.f-secure.org
127.0.0.21 bhs.com
127.0.0.21 www.bhs.com
127.0.0.21 bhs.net
127.0.0.21 www.bhs.net
127.0.0.21 bhs.org
127.0.0.21 www.bhs.org
127.0.0.21 datafellows.com
127.0.0.21 www.datafellows.com
127.0.0.21 datafellows.net
127.0.0.21 www.datafellows.net
127.0.0.21 datafellows.org
127.0.0.21 www.datafellows.org
127.0.0.21 cheyenne.com
127.0.0.21 www.cheyenne.com
127.0.0.21 cheyenne.net
127.0.0.21 www.cheyenne.net
127.0.0.21 cheyenne.org
127.0.0.21 www.cheyenne.org
127.0.0.21 ontrack.com
127.0.0.21 www.ontrack.com
127.0.0.21 ontrack.net
127.0.0.21 www.ontrack.net
127.0.0.21 ontrack.org
127.0.0.21 www.ontrack.org
127.0.0.21 sands.com
127.0.0.21 www.sands.com
127.0.0.21 sands.net
127.0.0.21 www.sands.net
127.0.0.21 sands.org
127.0.0.21 www.sands.org
127.0.0.21 sophos.com
127.0.0.21 www.sophos.com
127.0.0.21 sophos.net
127.0.0.21 www.sophos.net
127.0.0.21 sophos.org
127.0.0.21 www.sophos.org
127.0.0.21 icubed.com
127.0.0.21 www.icubed.com
127.0.0.21 icubed.net
127.0.0.21 www.icubed.net
127.0.0.21 icubed.org
127.0.0.21 www.icubed.org
127.0.0.21 perantivirus.com
127.0.0.21 www.perantivirus.com
127.0.0.21 perantivirus.net
127.0.0.21 www.perantivirus.net
127.0.0.21 perantivirus.org
127.0.0.21 www.perantivirus.org
127.0.0.21 castlecops.com
127.0.0.21 www.castlecops.com
127.0.0.21 castlecops.net
127.0.0.21 www.castlecops.net
127.0.0.21 castlecops.org
127.0.0.21 www.castlecops.org
127.0.0.21 virustotal.com
127.0.0.21 www.virustotal.com
127.0.0.21 virustotal.net
127.0.0.21 www.virustotal.net
127.0.0.21 virustotal.org
127.0.0.21 www.virustotal.org
127.0.0.21 free-av.com
127.0.0.21 www.free-av.com
127.0.0.21 free-av.net
127.0.0.21 www.free-av.net
127.0.0.21 free-av.org
127.0.0.21 www.free-av.org
127.0.0.21 antivirus.com
127.0.0.21 www.antivirus.com
127.0.0.21 antivirus.net
127.0.0.21 www.antivirus.net
127.0.0.21 antivirus.org
127.0.0.21 www.antivirus.org
127.0.0.21 anti-virus.com
127.0.0.21 www.anti-virus.com
127.0.0.21 anti-virus.net
127.0.0.21 www.anti-virus.net
127.0.0.21 anti-virus.org
127.0.0.21 www.anti-virus.org
127.0.0.21 ca.com
127.0.0.21 www.ca.com
127.0.0.21 ca.net
127.0.0.21 www.ca.net
127.0.0.21 ca.org
127.0.0.21 www.ca.org
127.0.0.21 fajarweb.com
127.0.0.21 www.fajarweb.com
127.0.0.21 fajarweb.net
127.0.0.21 www.fajarweb.net
127.0.0.21 fajarweb.org
127.0.0.21 www.fajarweb.org
127.0.0.21 jasakom.com
127.0.0.21 www.jasakom.com
127.0.0.21 jasakom.net
127.0.0.21 www.jasakom.net
127.0.0.21 jasakom.org
127.0.0.21 www.jasakom.org
127.0.0.21 backup.grisoft.com
127.0.0.21 www.backup.grisoft.com
127.0.0.21 backup.grisoft.net
127.0.0.21 www.backup.grisoft.net
127.0.0.21 backup.grisoft.org
127.0.0.21 www.backup.grisoft.org
127.0.0.21 infokomputer.com
127.0.0.21 www.infokomputer.com
127.0.0.21 infokomputer.net
127.0.0.21 www.infokomputer.net
127.0.0.21 infokomputer.org
127.0.0.21 www.infokomputer.org
127.0.0.21 playboy.com
127.0.0.21 www.playboy.com
127.0.0.21 playboy.net
127.0.0.21 www.playboy.net
127.0.0.21 playboy.org
127.0.0.21 www.playboy.org
127.0.0.21 sex-mission.com
127.0.0.21 www.sex-mission.com
127.0.0.21 sex-mission.net
127.0.0.21 www.sex-mission.net
127.0.0.21 sex-mission.org
127.0.0.21 www.sex-mission.org
127.0.0.21 pornstargals.com
127.0.0.21 www.pornstargals.com
127.0.0.21 pornstargals.net
127.0.0.21 www.pornstargals.net
127.0.0.21 pornstargals.org
127.0.0.21 www.pornstargals.org
127.0.0.21 kaskus.com
127.0.0.21 www.kaskus.com
127.0.0.21 kaskus.net
127.0.0.21 www.kaskus.net
127.0.0.21 kaskus.org
127.0.0.21 www.kaskus.org
127.0.0.21 17tahun.com
127.0.0.21 www.17tahun.com
127.0.0.21 17tahun.net
127.0.0.21 www.17tahun.net
127.0.0.21 17tahun.org
127.0.0.21 www.17tahun.org
127.0.0.21 padinet.com
127.0.0.21 www.padinet.com
127.0.0.21 padinet.net
127.0.0.21 www.padinet.net
127.0.0.21 padinet.org
127.0.0.21 www.padinet.org
127.0.0.21 jeruk.padinet.com
127.0.0.21 www.jeruk.padinet.com
127.0.0.21 jeruk.padinet.net
127.0.0.21 www.jeruk.padinet.net
127.0.0.21 jeruk.padinet.org
127.0.0.21 www.jeruk.padinet.org
127.0.0.21 compactbyte.com
127.0.0.21 www.compactbyte.com
127.0.0.21 compactbyte.net
127.0.0.21 www.compactbyte.net
127.0.0.21 compactbyte.org
127.0.0.21 www.compactbyte.org
127.0.0.21 blog.compactbyte.com
127.0.0.21 www.blog.compactbyte.com
127.0.0.21 blog.compactbyte.net
127.0.0.21 www.blog.compactbyte.net
127.0.0.21 blog.compactbyte.org
127.0.0.21 www.blog.compactbyte.org
127.0.0.21 blogs.compactbyte.com
127.0.0.21 www.blogs.compactbyte.com
127.0.0.21 blogs.compactbyte.net
127.0.0.21 www.blogs.compactbyte.net
127.0.0.21 blogs.compactbyte.org
127.0.0.21 www.blogs.compactbyte.org

download Try Sophos products for free
Download now