Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation

The worm copies itself in the following locations:

%userprofile%\Local Settings\Application Data\winlogon.exe
%userprofile%\Local Settings\Application Data\services.exe
%userprofile%\Local Settings\Application Data\lsass.exe
%userprofile%\Local Settings\Application Data\inetinfo.exe
%userprofile%\Local Settings\Application Data\csrss.exe
%userprofile%\Local Settings\Application Data\smss.exe
%userprofile%\Local Settings\Application Data\IDTemplate.exe
%userprofile%\Start Menu\Programs\Startup\Empty.pif
%system%\3D Animation.scr
%windir%\Inf\norBtok.exe

Several other copies are saved in the %system% folder. The filenames may vary. The following folders are created:

%userprofile%\Local Settings\Application Data\Ok-SendMail-Bron-tok
%userprofile%\Local Settings\Application Data\Bron.tok-3.'1,2,3...'
%userprofile%\Local Settings\Application Data\BRONTOK
%userprofile%\Local Settings\Application Data\Loc.Mail.Bron.Tok

The following files are created:

%userprofile%\Local Settings\Application Data\Kosong.Bron.Tok.txt
%userprofile%\Local Settings\Application Data\BronFoldNetDomList.txt

In order to be executed on every system start, the worm sets the following Registry entries:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Bron-Spizaetus" = "%windir%\Inf\norBtok.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus" = "%userprofile%\Local Settings\Application Data\smss.exe"

 

The following Registry entries are set:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" = "1"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\explorer\advanced]
"Hidden" = "0"
"ShowSuperHidden" = "0"
"HideFileExt" = "1"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
"DisableCMD" = "0"

 

Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

.asp
.cfm
.csv
.doc
.eml
.htm
.html
.php
.txt
.wab

Addresses containing the following strings are avoided:

.AC.ID
.ASP
.CO.ID
.EXE
.GO.ID
.HTM
.JS
.MIL.ID
.NET.ID
.OR.ID
.PHP
.SCH.ID
.WAR.NET.ID
.WEB.ID
ADMIN
ADOBE
AHNLAB
ALADDIN
ALERT
ALWI
ANTIGEN
APACHE
ARCHIEVE
ASDF
ASSOCIATE
ASTAGA
AVAST
AVG
AVIRA
BILLING@
BLACK
BLAH
BLEEP
BOLEH
BUILDER
CANON
CENTER
CILLIN
CISCO
CMD.
CNET
COMMAND
CONTOH
CONTROL
CRACK
DARK
DATABASE
DEMO
DETIK
DEVELOP
DOMAIN
DOWNLOAD
EMAILKU
ESAFE
ESAVE
ESCAN
EXAMPLE
FEEDBACK
FIREWALL
FOO@
FUCK
FUJITSU
GATEWAY
GAUL
GOOGLE
GRISOFT
GROUP
HACK
HAURI
HIDDEN
HOTMAIL
HP.
IBM.
INDO
INFO@
INTEL.
KOMPUTER
LINUX
LOTUS
MACRO
MALWARE
MASTER
MCAFEE
MICRO
MICROSOFT
MOZILLA
MSN.
MSNSC
MYSQL
NETSCAPE
NETWORK
NEWS
NOD32
NOKIA
NORMAN
NORTON
NOVELL
NVIDIA
OPERA
OVERTURE
PANDA
PATCH
PLASA
POSTGRE
PROGRAM
PROLAND
PROMPT
PROTECT
PROXY
RECIPIENT
REGISTRY
RELAY
RESPONSE
ROBOT
SATU
SCAN
SEARCH R
SECURE
SECURITY
SEKUR
SENIOR
SERVER
SERVICE
SES_ID
SESSIO
SIEMENS
SOFT
SOME
SOPHOS
SOURCE
SPAM
SPERSKY
SUN.
SUPPORT
SYBARI
SYMANTEC
TELKOM
TEST
TREND
TRUST
UPDATE
UTILITY
VAKSIN
VBS
VIRUS
W3.
W3.ORG
XEROX
ZDNET
ZEND
ZOMBIE

Some of the following strings may be used to form the sender address:

Berita_
GaulNews_
HotNews_
Movie_
@kafegaul.com
@pornstargals.com

Subject of the message is empty. Body of the message is the following:


BRONTOK.A
-- Hentikan kebobrokan di negeri ini --

1. Adili Koruptor, Penyelundup, Tukang Suap, Penjudi, & Bandar NARKOBA
( Send to "NUSAKAMBANGAN")

2. Stop Free Sex, Absorsi, & Prostitusi

3. Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar.

4. SAY NO TO DRUGS !!!


-- KIAMAT SUDAH DEKAT --

Terinspirasi oleh:
Elang Brontok (Spizaetus Cirrhatus) yang hampir punah
[ By: HVM31 ]
-- JowoBot #VM Community --

The attachment is an executable of the worm. Its filename is the following:

kangen.exe

Spreading via shared folders

The following shared folders are created:

%userprofile%\My Documents\MY DATA SOURCES
%userprofile%\My Documents\MY EBOOKS
%userprofile%\My Documents\MY MUSIC
%userprofile%\My Documents\MY PICTURES
%userprofile%\My Documents\MY SHAPES
%userprofile%\My Documents\MY VIDEOS

The executables of the worm are copied there using the following filename:

kangen.exe

The worm tries to copy itself in shared folders of machines on a local network.

 

Other information

The worm may attempt a DOS attack on the following servers:

israel.gov.il
playboy.com

The worm may perform operating system restart.