Aliases

Email-Worm.Win32.Brontok.q (Kaspersky Lab) is also known as: W32/Rontokbro.gen@MM (McAfee),   W32.Rontokbro@mm (Symantec),   BackDoor.Generic.1138 (Doctor Web),   W32/Korbo-B (Sophos),   WORM_RONTOKBRO.F (Trend Micro),   WORM/Brontok.C (H+BEDV),   W32/Brontok.C@mm (FRISK),   Win32:Rontokbr-B (ALWIL),   I-Worm/VB.FY (Grisoft),   Win32.Brontok.C@MM (SOFTWIN),   Worm.Brontok.E (ClamAV),   Win32/Brontok.F (Eset)

Detection added	May 15 2006 16:08 GMT
Update released	May 15 2006 17:24 GMT
Description added	Oct 23 2006
Behavior	Email Worm

• Technical details
• Payload

This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim machine.

The worm itself is a Windows PE EXE file written in Visual Basic. The size of the infected file can vary significantly. The functionality described below is characteristic of the most common variants of this worm.

Installation

When the infected file is first launched, the user will see a Windows Explorer window, with an open 'My Pictures' folder.

When installing, the worm modifies the following keys of the system registry, disabling system registry tools, the command line, and displaying files and folders in Windows Explorer.

For example, the following message will be displayed when the registry editor is launched:

The worm then gets a path to Application Data for the current user (%UserProfile%\Local Settings\Application Data) and copies its body to this directory under the following names:

A text file called Kosong.Bron.Tok.txt (51 bytes in size) is also created in this directory. The file has the following contents:

The worm also copies its body to the Windows root directory (%WinDir%) under the following name:

and to the ShellNew subdirectory under a name generated as follows: bbm-<random symbols>.exe:

and to the Windows system directory under the following names:

The worm also copies itself to the Start menu Autorun directory as Empty.pif:

and to the Document Template subdirectory:

and to the My Pictures directory of the current user:

An HTML page called about.Brontok.A.html is also created in this directory:

When this page is viewed using the browser, the following message is displayed:

This page contains the contents of the email message which the worm sends to email addresses harvested from the victim machine.

The copies of the worm will then be registered in the system registry to ensure that they are launched automatically:

Once installed, the worm creates a file called sistem.sys in the Windows system directory. This file contains the date and time the worm was installed to the victim machine in the following format: mmddhhmm, where mm stands for the month, dd for the data, hh for the hour, and mm for the minute.

Propagation via email

The worm harvests addresses from the MS Windows address books and from files with the following extensions:

ASP
CFM
CSV
DOC
EML
HTM
HTML
PHP
TXT
WAB

All the harvested addresses are saved to %AppData%\Loc.Mail.Bron.Tok as files with email address names, an .ini extension and the following text:

A directory called Ok-SendMail-Bron-tok is created, and the addresses which messages are sent to are saved to this file.

When sending infected messages the worm uses its own SMTP engine.

Infected messages

Attachment name (chosen from the list below):

• ccapps.exe
• jangan dibuka.exe
• kangen.exe
• my heart.exe
• myheart.exe
• syslove.exe
• untukmu.exe
• winword.exe

Message text:

The HTML page shown above acts as the text of infected messages.

The worm checks the header of the open window, and if one of the following strings is present in the header, it will reboot the system:

..
.@
@.
.ASP
.EXE
.HTM
.JS
.PHP
ADMIN
ADOBE
AHNLAB
ALADDIN
ALERT
ALWIL
ANTIGEN
APACHE
APPLICATION
ARCHIEVE
ASDF
ASSOCIATE
AVAST
AVG
AVIRA
BILLING@
BLACK
BLAH
BLEEP
BUILDER
CANON
CENTER
CILLIN
CISCO
CMD.
CNET
COMMAND
COMMAND PROMPT
CONTOH
CONTROL
CRACK
DARK
DATA
DATABASE
DEMO
DETIK
DEVELOP
DOMAIN
DOWNLOAD
ESAFE
ESAVE
ESCAN
EXAMPLE
FEEDBACK
FIREWALL
FOO@
FUCK
FUJITSU
GATEWAY
GOOGLE
GRISOFT
GROUP
HACK
HAURI
HIDDEN
HP.
IBM.
INFO@
INTEL.
KOMPUTER
LINUX
LOG OFF WINDOWS
LOTUS
MACRO
MALWARE
MASTER
MCAFEE
MICRO
MICROSOFT
MOZILLA
MYSQL
NETSCAPE
NETWORK
NEWS
NOD32
NOKIA
NORMAN
NORTON
NOVELL
NVIDIA
OPERA
OVERTURE
PANDA
PATCH
POSTGRE
PROGRAM
PROLAND
PROMPT
PROTECT
PROXY
RECIPIENT
REGISTRY
RELAY
RESPONSE
ROBOT
SCAN
SCRIPT HOST
SEARCH R
SECURE
SECURITY
SEKUR
SENIOR
SERVER
SERVICE
SHUT DOWN
SIEMENS
SMTP
SOFT
SOME
SOPHOS
SOURCE
SPAM
SPERSKY
SUN.
SUPPORT
SYBARI
SYMANTEC
SYSTEM CONFIGURATION
TEST
TREND
TRUST
UPDATE
UTILITY
VAKSIN
VIRUS
W3.
WINDOWS SECURITY.VBS
WWW
XEROX
XXX
YOUR
ZDNET
ZEND
ZOMBIE

The worm also modifies the contents of autoexec.bat in the C: root directory, adding "pause" to it.