W32/Brontok-AJ

Aliases	mail-Worm.Win32.Brontok.n W32.Rontokbro.X@mm WORM_RONTKBR.GEN
Category	Viruses and Spyware
Type	Worm
What to do	Please contact support for assistance with removal.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email attachments
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	December 2006 (4.12)
Protection available since	26 April 2006 12:37:16 (GMT)
Last updated	8 November 2006 13:21:42 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please read the instructions for removing W32/Brontok-AJ

More Information

Summary
Action
More Information

W32/Brontok-AJ is a mass-mailing worm for the Windows platform.

W32/Brontok-AJ sends itself to email addresses found on the infected computer.

Emails sent by the worm have the following characteristics:

From: angelina_ph@<recipient's domain>
or jennifer_sh@<recipient's domain>

If the recipient's address is Indonesian:

Subject: Fotoku yg Paling Cantik

Message text:

Hi,
Aku lg iseng aja pengen kirim foto ke kamu.
Jangan lupain aku ya !.

Thanks

For all other addresses:

Subject: My Best Photo

Message text:

Hi,
I want to share my photo with you.
Wishing you all the best.

Regards,

Attachment name: Photo.zip

The zip file is also detected as W32/Brontok-AJ and contains Photo.bmp and View-Photo.bat. View-Photo.bat runs Photo.bmp. Photo.bmp is an executable (currently detected as Troj/Dloadr-ADW) which attempts to download and execute a copy of the worm from a preconfigured website. At the time of writing, this website is unavailable.

When W32/Brontok-AJ is installed it copies itself to the following locations:

<User>\Local Settings\Application Data\dv<random1>\yesbron.com
<User>\Local Settings\Application Data\jalak-<random2>-bali.com
<System>\n<random3>\b<random4>.exe
<System>\n<random3>\csrss.exe
<System>\n<random3>\lsass.exe
<System>\n<random3>\services.exe
<System>\n<random3>\smss.exe
<System>\n<random3>\sv<random5>r.exe
<System>\n<random3>\winlogon.exe
<System>\c_<random6>.com
<Windows>\j<random7>.exe
<Windows>\o<random8>.exe
<Windows>\_default<random9>.pif
<Windows>\<random10>\ib<random11>.exe

where <random1> etc. are randomly-chosen numbers

W32/Brontok-AJ installs the following files:

<System>\n<random3>\c.bron.tok.txt
<Current Folder>\Baca Bro !!!.txt
<Windows>\Tasks\At1.job
<Windows>\Tasks\At2.job

The .job files each contain a scheduled task, instructing Windows to execute the installed copies of the worm once per day.

The file c.bron.tok.txt contains the following text:

Brontok.C
By:JowoBot

The file Baco Bro !!!.txt contains the following text:

BRONTOK.C[22]

Sedikit Jawaban u/ Membungkam Mulut Sesumbar 'MEREKA'.

Nobron = Satria Dungu = Nothing !!!
Romdil = Tukang Jiplak = Nothing !!!

Nobron & Romdil -->> Kicked by The Amazing Brontok

[ By JowoBot ]

W32/Brontok-AJ closes windows whose titles contain any of the following:

task manager
registry
command prompt
system configuration
group policy
cmd.exe
computer management
scheduled task
killbox
hijack
SYSINTERNAL
PROCESS EXP
REMOVER
CLEANER
anti
washer
ertanto
BROWNIES
movzx
killer
pcmedia
pc-media
rontok
rontox
robknot
commander
windows script
norman
norton
symantec
cillin
trendmicro
bitdef
kaspersky
avg
avira
virus
trojan
worm
mcafee
b.e
folder option
wintask
alwil
sex
porn
naked
cewe
bugil
telanjang
nod32
task view
peid
ahnlab

W32/Brontok-AJ adds entries to the system HOSTS file to prevent access to security-related domains.

W32/Brontok-AJ may install a new version of the file <System>\msvbvm60.dll.

The following registry entries are created to run the installed copies of the worm on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
<random>
<User>\Local Settings\Application Data\dv<random1>\yesbron.com

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
<random>
<Windows>\_default<random10>.pif

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random>
<System>\n<random3>\sv<random5>r.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random>
<Windows>\j<random7>.exe

The following registry entries are changed to run j<random7>.exe and o<random8>.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows>\o<random8>.exe"

(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<Windows>\j<random7>.exe

(the default value for this registry entry is "<Windows>\System32\userinit.exe,").

The following registry entry is set, disabling the registry editor (regedit):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

Registry entries are created under:

HKCU\Software\Brontok\

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Brontok-AJ

Summary

Action

More Information