WORM_BRONTOK.MFT

This worm arrives as attachment to mass-mailed email messages. It arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It uses the default Windows folder icon to trick users into opening the file. Double-clicking the file executes this malware.

It drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names.

As of this writing, the said sites are inaccessible.

Arrival Details

This worm arrives as attachment to mass-mailed email messages.

It arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system and executes them:

• %AppDataLocal%\smss.exe
• %AppDataLocal%\services.exe
• %AppDataLocal%\lsass.exe
• %AppDataLocal%\inetinfo.exe
• %AppDataLocal%\csrss.exe
• %AppDataLocal%\svchost.exe
• %AppDataLocal%\winlogon.exe

(Note: %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following files:

• %AppDataLocal%\BronMes{random characters}.ini
• %System%\system32\sistem.sys

(Note: %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It drops the following copies of itself into the affected system:

• %User Profile%\Local Settings\Application Data\br{random characters}on.exe
• %User Profile%\Templates\{random 5 characters}-NendangBro.com
• %System%\(username)'s Setting.scr
• %System%\DXBLCI.exe
• %System%\cmd-bro-{random 3 characters}.exe
• %Windows%\SHELLNEW\bbm-{random 8 characters}.exe
• %Windows%\sembako-{random 7 characters}.exe

It uses the default Windows folder icon to trick users into opening the file. Double-clicking the file executes this malware.

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Bron-Spizaetus-{random 8 characters} = "%System%\ShellNew\bbm-{random 8 characters}.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Tok-Cirrhatus-{random 4 characters} = "%AppDataLocal%\br{random characters}on.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe "%System%\sembako-{random 7 characters}.exe""

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot
AlternateShell = "cmd-bro-{random 3 characters}.exe"

The scheduled task executes the malware every:

• 5:08 PM
• 11:03 AM

It enables its automatic execution at every system startup by dropping the following copies of itself into the Windows Common Startup folder:

• %User Profile%\Start Menu\Programs\Startup\Empty.pif

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Other System Modifications

This worm adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableCMD = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoFolderOptions = "1"

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "0"

(Note: The default value data of the said registry entry is "1".)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = "1"

(Note: The default value data of the said registry entry is "0".)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

(Note: The default value data of the said registry entry is "1".)

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

• {Removable Drive Letter}:\Data {username}.exe

It drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names.

It gathers target email addresses from files with the following extensions:

• .HTM
• .HTML
• .TXT
• .EML
• .WAB
• .ASP
• .PHP
• .CFM
• .CSV
• .DOC

It avoids sending email messages to addresses containing the following strings:

• SECURE
• SUPPORT
• MASTER
• MICROSOFT
• VIRUS
• HACK
• CRACK
• LINUX
• AVG
• GRISOFT
• CILLIN
• SECURITY
• SYMANTEC
• ASSOCIATE
• VAKSIN
• NORTON
• NORMAN
• PANDA
• SOFT
• SPAM
• BLAH
• YOUR
• SOME
• ASDF
• @.
• .@
• WWW
• VAKSIN
• DEVELOP
• PROGRAM
• SOURCE
• NETWORK
• UPDATE
• TEST
• ..
• XXX
• SMTP
• EXAMPLE
• CONTOH
• INFO@
• BILLING@
• .ASP
• .PHP
• .HTM
• .EXE
• .JS
• .VBS
• DOMAIN
• HIDDEN
• DEMO
• DEVELOP
• FOO@
• KOMPUTER
• SENIOR
• DARK
• BLACK
• BLEEP
• FEEDBACK
• IBM.
• INTEL.
• MACRO
• ADOBE
• FUCK
• RECIPIENT
• SERVER
• PROXY
• ZEND
• ZDNET
• CNET
• DOWNLOAD
• HP.
• XEROX
• CANON
• SERVICE
• ARCHIEVE
• NETSCAPE
• MOZILLA
• OPERA
• NOVELL
• NEWS
• UPDATE
• RESPONSE
• OVERTURE
• GROUP
• GATEWAY
• RELAY
• ALERT
• SEKUR
• CISCO
• LOTUS
• MICRO
• TREND
• SIEMENS
• FUJITSU
• NOKIA
• W3.
• NVIDIA
• APACHE
• MYSQL
• POSTGRE
• SUN.
• GOOGLE
• SPERSKY
• ZOMBIE
• ADMIN
• AVIRA
• AVAST
• TRUST
• ESAVE
• ESAFE
• PROTECT
• ALADDIN
• ALERT
• BUILDER
• DATABASE
• AHNLAB
• PROLAND
• ESCAN
• HAURI
• NOD32
• SYBARI
• ANTIGEN
• ROBOT
• ALWIL
• BROWSE
• COMPUSE
• COMPUTE
• SECUN
• SPYW
• REGIST
• FREE
• BUG
• MATH
• LAB
• IEEE
• KDE
• TRACK
• INFORMA
• FUJI
• @MAC
• SLACK
• REDHA
• SUSE
• BUNTU
• XANDROS
• @ABC
• @123
• LOOKSMART
• SYNDICAT
• ELEKTRO
• ELECTRO
• NASA
• LUCENT
• TELECOM
• STUDIO
• SIERRA
• USERNAME
• IPTEK
• CLICK
• SALES
• PROMO

Download Routine

As of this writing, the said sites are inaccessible.

Other Details

This worm terminates itself if windows or classes contain any of the following string(s):

• REGISTRY
• SYSTEM CONFIGURATION
• COMMAND PROMPT
• .EXE
• SHUTDOWN
• SCRIPT HOST
• LOG OFF WINDOWS
• KILLBOX
• TASK KILL
• TASKKILL
• HIJACK
• BLEEPING
• SYSINTERNAL
• PROCESS EXP
• FAJARWEB
• REMOVER
• CLEANER
• GROUP POLICY
• MOVZX

NOTES:

It tries to download from the following URLs:

• http://www.{BLOCKED}b.com/Kids/{random characters}/{random characters}.css

It pings for the following URLs:

• http://www.{BLOCKED}n.com
• http://www.{BLOCKED}s.com
• http://www.{BLOCKED}eb.com

This worm restarts the system if the following strings are present in an existing window:

• REGISTRY
• SYSTEM CONFIGURATION
• COMMAND PROMPT
• .EXE
• SHUTDOWN
• SCRIPT HOST
• LOG OFF WINDOWS
• KILLBOX
• TASK KILL
• TASKKILL
• HIJACK
• BLEEPING
• SYSINTERNAL
• PROCESS EXP
• FAJARWEB
• REMOVER
• CLEANER
• GROUP POLICY
• MOVZX