Follow:

 

Worm:Win32/Brontok.R@mm


Worm:Win32/Brontok.R@mm is a mass-mailing worm that changes security systems on the infected computer. It usually arrives via e-mail.
 
Worm:Win32/Brontok.R@mm modifies certain computer settings, such as how hidden files are displayed, and disables registry editing. It can also modify the computer's HOSTS file.


What to do now

Manual removal is not recommended for this threat. Use the Microsoft Malicious Software Removal Tool, Microsoft Security Essentials, or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.
Recovering from recurring infections on a network
The following additional steps may need to be taken to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:
 
  1. Ensure that an antivirus product is installed on ALL computers connected to the network that can access or host shares  (see above for further detail).
  2. Ensure that all available network shares are scanned with an up-to-date antivirus product.
  3. Restrict permissions as appropriate for network shares on your network. For more information on simple access control, please see: http://technet.microsoft.com/library/bb456977.aspx.
  4. Remove any unnecessary network shares or mapped drives.
 
Note: Additionally it may be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete.
Enabling registry editor
This threat may modify the computer to prevent Registry Editor from running. To enable Registry Editor in your computer, please do the following:
 
  1. Run a command prompt. Click Start>Run and type cmd.
  2. In the command prompt, type the following as is and press Enter:
    reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
  3. Type exit at the command prompt.
Disabling Autorun functionality
Worm:Win32/Brontok.R@mm attempts to spread via removable drives on computers that support Autorun functionality. This is a particularly common method of spreading for many current malware families. For information on disabling Autorun functionality, please see the following article:
Additional remediation instructions for Worm:Win32/Brontok.R@mm
This threat may make lasting changes to a computer’s configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following article/s: 

Threat behavior

Worm:Win32/Brontok.R@mm is a mass-mailing worm that changes security systems on the infected computer. It usually arrives via e-mail.
 
Worm:Win32/Brontok.R@mm modifies certain computer settings, such as how hidden files are displayed, and disables registry editing. It can also modify the computer's HOSTS file.
Installation
Upon execution, Worm:Win32/Brontok.R@mm opens an Explorer window to the "My Documents" folder. This may mislead the user into thinking that the malware file is harmless.
 
It creates the following folder:
 
  • %AppData%\Bron.tok-12-27
  • %Windir%\ShellNew
 
It creates copies of itself as the following:
 
  • %AppData%\csrss.exe
  • %AppData%\inetinfo.exe
  • %AppData%\lsass.exe
  • %AppData%\services.exe
  • %AppData%\smss.exe
  • %AppData%\winlogon.exe
  • %UserProfile%\Templates\Brengkolang.com or %UserProfile%\Templates\WowTumpeh.com
  • %windir%\ShellNew\sempalong.exe
  • %windir%\eksplorasi.pif
  • <startup folder>\Empty.pif
  • <system folder>\<current user>'s Setting.scr (for example, "<system folder>\user1's Settings.scr")
 
Users should take care not to confuse the file names "csrss.exe", "inetinfo.exe", "lsass.exe", "services.exe", "smss.exe", and "winlogon.exe" with legitimate system files using the same names. The legitimate system files located by default in the Windows system folder.
 
Note 1 - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
 
Note 2 - <startup folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.
 
Worm:Win32/Brontok.R@mm creates and modifies the following registry entries so that it automatically runs every time Windows starts:
 
Adds value: "Tok-Cirrhatus"
With data: "%AppData%\smss.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 
Adds value: "Bron-Spizaetus"
With data: "%windir%\ShellNew\sempalong.exe""
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 
Modifies value: "Shell"
From data: "explorer.exe" (default value)
To data: "explorer.exe "%windir%\eksplorasi.exe""
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
 
It also creates a job named "%windir%\Tasks\At1.job", which is designed to automatically run its copy "%UserProfile%\Templates\Brengkolang.com" at a specific schedule.
Spreads via...
Mass mailing
Worm:Win32/Brontok.R@mm searches for e-mail addresses in matching the following extensions:
 
.ASP
.CFM
.CSV
.DOC
.EML
.PHP
.TXT
.WAB
 
Gathered addresses are stored in a file in %AppData%, for example, "NetMailTmp.bin". Worm:Win32/Brontok.R@mm then sends out e-mail addresses to these addresses.
 
The e-mail messages may have the following format:
 
Subject: (no subject)
From: (either one of these)
Berita_<two numbers>@kafegaul.com
GaulNew_<two numbers>@kafegaul.com
HotNews_<two numbers>@playboy.com
Movie_<two numbers>@playboy.com
Attachment: (executable file)
Body: (may be, but is not limited to)
By: HVM31
-- JowoBot #VM Community --
 
Removable drives and shared folders
Worm:Win32/Brontok.R@mm also attempts to spread by copying itself to available removable drives and the following folders:
 
  • My Data Sources
  • My Ebooks
  • My Music
  • My Pictures
  • My Shapes
  • My Videos
  • My Documents
 
The file names it uses for its copies vary.
Payload
Modifies system settings
Worm:Win32/Brontok.R@mm modifies the following computer settings:
 
  • Changes the way hidden files are displayed in Windows Explorer:
Adds value: "Hidden"
With data: "0"
Adds value: "HideFileExt"
With data: "1"
Adds value: "ShowSuperHidden"
with data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
 
  • Changes the way file display options are made available in Windows Explorer:
Adds value: "NoFolderOptions"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
 
  • Enables Command Prompt:
Adds value: "DisableCMD"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
 
  • Disables registry editing tools:
Adds value: "DisableRegistryTools"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
 
Modifies system files
Worm:Win32/Brontok.R@mm may create the following file, or modify it if it exists:
 
autoexec.bat
 
by adding the command "pause" into it.
 
Worm:Win32/Brontok.R@mm may also modify the HOSTS file.
 
Connects to a remote server
Worm:Win32/Brontok.R@mm checks if the computer is connected to the Internet by connecting to:
 
google.com
yahoo.com
 
If the computer is connected, it then attempts to download arbitrary files from the following subdomains:
 
geocities.com/sblsji1/
geocities.com/sbllro2/
geocities.com/sbltlu3/
geocities.com/sblppt4/
geocities.com/sbllma5/
Additional information
Worm:Win32/Brontok.R@mm may create a file named "Ok-SendMail-Bron-tok" in the %AppData% folder.
 
Analysis by Patrik Vicol

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    • %AppData%\csrss.exe
    • %AppData%\inetinfo.exe
    • %AppData%\lsass.exe
    • %AppData%\services.exe
    • %AppData%\smss.exe
    • %AppData%\winlogon.exe
    • %UserProfile%\Templates\Brengkolang.com or %UserProfile%\Templates\WowTumpeh.com
    • %windir%\ShellNew\sempalong.exe
    • %windir%\eksplorasi.pif
    • <Startup folder>\Empty.pif
    • <system folder>\<current user>'s Setting.scr (for example, "<system folder>\user1's Settings.scr")
  • The presence of the following registry modifications:
  • Added value: "Tok-Cirrhatus"
    With data: "%AppData%\smss.exe"
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
     
    Added value: "Bron-Spizaetus"
    With data: "%windir%\ShellNew\sempalong.exe""
    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
     
    Modified value: "Shell"
    From data: "explorer.exe" (default value)
    To data: "explorer.exe "%windir%\eksplorasi.exe""
    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  • The presence of the following scheduled task:
%windir%\Tasks\At1.job
  • You cannot edit the registry
  • There are changes to your HOSTS file and your autoexec.bat file, or there is an autoexec.bat file where there was none before.

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.59.963.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: May 06, 2010
This entry was updated on: May 06, 2010

This threat is also detected as:
  • Win-Trojan/Xema.variant (AhnLab)
  • W32/EmailWorm.OXI (Command)
  • Email-Worm.Win32.Brontok.q (Kaspersky)
  • W32/Rontokbro (Norman)
  • I-Worm.Brontok.QJ (VirusBuster)
  • Worm/Brontok.FW (AVG)
  • Worm/Brontok.C (Avira)
  • Win32/Robknot.Z (CA)
  • Win32/Brontok.S (ESET)
  • Email-Worm.Win32.Brontok (Ikarus)
  • W32/Rontokbro.gen@MM (McAfee)
  • W32/Brontok.GS.WORM (Panda)
  • Trojan.Win32.Mnless.dyr (Rising AV)
  • W32/Brontok-G (Sophos)
  • Email-Worm.Win32.Brontok.ik (Sunbelt Software)
  • W32.Rontokbro@mm (Symantec)
  • WORM_RONTOKBR.CO (Trend Micro)