Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation

When executed, the worm copies itself in the following locations:

%startup%\Empty.pif
%userprofile%\Local Settings\Application Data\smss.exe
%userprofile%\Local Settings\Application Data\services.exe
%userprofile%\Local Settings\Application Data\lsass.exe
%userprofile%\Local Settings\Application Data\inetinfo.exe
%userprofile%\Local Settings\Application Data\csrss.exe
%userprofile%\Local Settings\Application Data\winlogon.exe
%userprofile%\Templates\WowTumpeh.com
%windir%\eksplorasi.exe
%windir%\ShellNew\bronstab.exe
%windir\system32\%username%s Setting.scr

The file is copied in the following folders as well:

MY DATA SOURCES
MY DOCUMENTS
MY EBOOKS
MY MUSIC
MY PICTURES
MY SHAPES
MY VIDEOS

The filename used is the same as the name of a file already present in a particular folder. An additional ".exe" extension is appended. In order to be executed on every system start, the worm sets the following Registry entries:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Bron-Spizaetus" = "%windir%\ShellNew\bronstab.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Tok-Cirrhatus" = "%userprofile%\Local Settings\Application Data\smss.exe"

 

The following Registry entries are set:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell]
"Explorer.exe" = "%windir%\eksplorasi.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Policies\System]
"DisableRegistryTools" = 1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Policies\System]
"NoFolderOptions" = 1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Policies\Explorer]
"DisableCMD" = 0

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced]
"Hidden" = 0

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced]
"ShowSuperHidden" = 0

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced]
"HideFileExt" = 1

 

The worm schedules a task that causes the following file to be executed daily:

%userprofile%\Templates\WowTumpeh.com

The worm replaces the following file by one downloaded from the Internet:

%windir%\System32\drivers\etc\hosts

This blocks acces to several Internet servers. The following files are deleted:

folder.htt
IDTemplate.exe
jangan dibuka.exe
kangen.exe
myheart.exe
my heart.exe
untukmu.exe
%userprofile%\Templates\A.kotnorB.com
%userprofile%\Templates\bararontok.com
%windir%\eksplorasi.pif
%windir%\ShellNew\ElnorB.exe
%windir%\system32\3D Animation.scr

The worm may delete various other files.

Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

asp
cfm
csv
eml
eml
htm
html
php
txt
wab

Addresses containing the following strings are avoided:

...XXX
.@
.ASP
.EXE
.HTM
.JS
.PHP
.VBS
@.
@123
@ABC
@MAC
ADMIN
ADOBE
AHNLAB
ALADDIN
ALERT
ALWIL
ANTIGEN
APACHE
ARCHIEVE
ASDF
ASSOCIATE
AVAST
AVG
AVIRA
BILLING@
BLACK
BLAH
BLEEP
BUG
BUILDER
BUNTU
CANON
CILLIN
CISCO
CLICK
CNET
COMPUSE
COMPUTE
CONTOH
CRACK
DARK
DATABASE
DEMO
DEVELOP
DOMAIN
DOWNLOAD
ELECTRO
ELEKTRO
ESAFE
ESAVE
ESCAN
EXAMPLE
FEEDBACK
FOO@
FREE
FUCK
FUJI
FUJITSU
GATEWAY
GOOGLE
GRISOFT
GROUP
HACK
HAURI
HIDDEN
HP.
IBM.
IEEE
INFO@
INFORMA
INTEL.
IPTEK
KDE
KOMPUTER
LAB
LINUX
LOOKSMART
LOTUS
LUCENT
MACRO
MASTER
MATH
MICRO
MICROSOFT
MOZILLA
MYSQL
NASA
NETSCAPE
NETWORK
NEWS
NOD32
NOKIA
NORMAN
NORTON
NOVELL
NVIDIA
OPERA
OVERTURE
PANDA
POSTGRE
PROGRAM
PROLAND
PROMO
PROTECT
PROXY
RECIPIENT
REDHA
REGIST
RELAY
RESPONSE
ROBOT
SALES
SECUN
SECURE
SECURITY
SEKUR
SENIOR
SERVER
SERVICE
SIEMENS
SIERRA
SLACK
SMTP
SOFT
SOME
SOURCE
SPAM
SPERSKY
SPYW
STUDIO
SUN.
SUPPORT
SUSE
SYBARI
SYMANTEC
SYNDICAT
TELECOM
TEST
TRACK
TREND
TRUST
UPDATE
USERNAME
VAKSIN
VIRUS
W3.
WWW
XANDROS
XEROX
YAHOO
YOUR
ZDNET
ZEND
ZOMBIE

The sender address is one of the following:

Berita__XX@kafegaul.com
GaulNew_XX@kafegaul.com
HotNews_XX@playboy.com
Movie_XX@playboy.com

The message depends entirely on data the worm downloads from the Internet.

Spreading via shared folders

The worm searches for various shared folders. The executables of the worm are copied there using a filename of a file already present in the folder. An additional ".exe" extension is appended. Alternatively, the following name may be used:

Data %username%.exe

The worm copies itself also in root folders of removable drives.

Other information

The following text is displayed:

BRONTOK.A[10]

-- Hentikan kebobrokan di negeri ini --

1. Penjarakan Koruptor, Penyelundup, Tukang Suap, & Bandar NARKOBA
( Send to "NUSAKAMBANGAN")

2. Stop Free Sex, Aborsi, & Prostitusi
( Go To HELL )

3. Stop pencemaran lingkungan, pembakaran hutan & perburuan liar.

4. SAY NO TO FRUGS !!!


-- KIAMAT SUDAH DEKAT --

Terinspirasi oleh:
Elang Brontok (Spizaetus Cirrhatus) yang hampir punah
[ By: HVM31 ]
-- JowoBot #VM Community --

!!! Akan Kubuat Mereka (VM lokal yg cengeng & bodoh) Terkapar !!!

 

The following programs are terminated:

avgemc.exe
ccapps.exe
mcvsescn.exe
poproxy.exe
riyani_jangkaru.exe
syslove.exe
systray.exe
tskmgr.exe
xpshare.exe

The worm restarts the operating system if there is a window with any of the following strings in its name:

.EXE
COMMAND PROMPT
KILLBOX
LOG OFF WINDOWS
REGISTRY
SCRIPT HOST
SHUT DOWN
SYSTEM CONFIGURATION
TASKKILL
TASK KILL

The worm performs DoS attack against two servers.

The worm tries to download a file from the Internet. The file is then executed.