ALIASES:

Brontok

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Propagates via removable drives, Downloaded from the Internet

Earlier variants of the RONTOKBRO malware family were first spotted in 2005. Also known as BRONTOK, this malware family was said to originate from Indonesia, home to the brontok bird, a kind of hawk-eagle.

RONTOKBRO malware self-replicate and thus are categorized as worms. These worms typically spread across systems via removable drives. Earlier versions of this malware spread to other systems by harvesting email addresses from affected systems and sending out copies of itself via SMTP.

It also prevents users from accessing the Windows registry editor. This routine enables this malware family to avoid easy removal from affected computers.

This worm modifies the affected system's HOSTS files. This prevents users from accessing certain websites.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Modifies HOSTS file, Connects to URLs/IPs

Installation

This worm drops the following copies of itself into the affected system:

  • %Application Data%\{random folder name}\yesbron.com
  • %Application Data%\jalak-{random numbers}-bali.com
  • %System%\c_{random numbers}k.com
  • %System%\{random folder name}\smss.exe
  • %System%\{random folder name}\csrss.exe
  • %System%\{random folder name}\lsass.exe
  • %System%\{random folder name}\m{random numbers}.exe
  • %System%\{random folder name}\services.exe
  • %System%\{random folder name}\winlogon.exe
  • %System%\{random folder name}\{random file name}.exe
  • %Windows%\{random file name}.exe
  • %Windows%\_default{random numbers}.pif
  • %Windows%\{random folder name}\{random file name}.exe

It drops the following files:

  • %System Root%\Baca Bro !!!.txt
  • %System%\{random folder name}\c.bron.tok.txt
  • %System%\{random folder name}\domlist.txt

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %System% is the Windows system folder, which is usually C:\Windows\System32.)

It creates the following folders:

  • %Application Data%\{random folder name}
  • %System%\{random folder name}
  • %System%\{random folder name}\Spread.Mail.Bro
  • %System%\{random folder name}\Spread.Sent.Bro
  • %Windows%\{random folder name}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %System% is the Windows system folder, which is usually C:\Windows\System32.. %Windows% is the Windows folder, which is usually C:\Windows.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\run
{random characters} = "%Application Data%\{random folder name}\yesbron.com"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random characters} = "%System%\{random folder name}\{random file name}.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\run
{random characters} = "%Windows%\_default{random numbers}.pif"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random characters} = "%Windows%\{random file name}.exe"

It modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe "%Windows%\{random file name}.exe""

(Note: The default value data of the said registry entry is Explorer.exe.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe,%Windows%\{random file name}.exe"

(Note: The default value data of the said registry entry is %System%\userinit.exe,.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot
AlternateShell = "c_{random numbers}k.com"

(Note: The default value data of the said registry entry is cmd.exe.)

Other System Modifications

This worm adds the following registry keys:

HKEY_CURRENT_USER\Software\Brontok

It adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Schedule
AtTaskMaxHours = "48"

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

(Note: The default value data of the said registry entry is 1.)

HOSTS File Modification

This worm modifies the affected system's HOSTS files to prevent a user from accessing the following websites:

  • 127.0.0.22 17tahun.com
  • 127.0.0.22 17tahun.net
  • 127.0.0.22 17tahun.org
  • 127.0.0.22 ae.trendmicro-europe.com
  • 127.0.0.22 ae.trendmicro-europe.net
  • 127.0.0.22 ae.trendmicro-europe.org
  • 127.0.0.22 anti-virus.com
  • 127.0.0.22 anti-virus.net
  • 127.0.0.22 anti-virus.org
  • 127.0.0.22 antivirus.com
  • 127.0.0.22 antivirus.net
  • 127.0.0.22 antivirus.org
  • 127.0.0.22 backup.grisoft.com
  • 127.0.0.22 backup.grisoft.net
  • 127.0.0.22 backup.grisoft.org
  • 127.0.0.22 bhs.com
  • 127.0.0.22 bhs.net
  • 127.0.0.22 bhs.org
  • 127.0.0.22 blog.compactbyte.com
  • 127.0.0.22 blog.compactbyte.net
  • 127.0.0.22 blog.compactbyte.org
  • 127.0.0.22 blogs.compactbyte.com
  • 127.0.0.22 blogs.compactbyte.net
  • 127.0.0.22 blogs.compactbyte.org
  • 127.0.0.22 ca.com
  • 127.0.0.22 ca.net
  • 127.0.0.22 ca.org
  • 127.0.0.22 castlecops.com
  • 127.0.0.22 castlecops.net
  • 127.0.0.22 castlecops.org
  • 127.0.0.22 cheyenne.com
  • 127.0.0.22 cheyenne.net
  • 127.0.0.22 cheyenne.org
  • 127.0.0.22 compactbyte.com
  • 127.0.0.22 compactbyte.net
  • 127.0.0.22 compactbyte.org
  • 127.0.0.22 datafellows.com
  • 127.0.0.22 datafellows.net
  • 127.0.0.22 datafellows.org
  • 127.0.0.22 download.mcafee.com
  • 127.0.0.22 download.mcafee.net
  • 127.0.0.22 download.mcafee.org
  • 127.0.0.22 downloads1.kaspersky-labs.com
  • 127.0.0.22 downloads1.kaspersky-labs.net
  • 127.0.0.22 downloads1.kaspersky-labs.org
  • 127.0.0.22 downloads2.kaspersky-labs.com
  • 127.0.0.22 downloads2.kaspersky-labs.net
  • 127.0.0.22 downloads2.kaspersky-labs.org
  • 127.0.0.22 downloads3.kaspersky-labs.com
  • 127.0.0.22 downloads3.kaspersky-labs.net
  • 127.0.0.22 downloads3.kaspersky-labs.org
  • 127.0.0.22 downloads4.kaspersky-labs.com
  • 127.0.0.22 downloads4.kaspersky-labs.net
  • 127.0.0.22 downloads4.kaspersky-labs.org
  • 127.0.0.22 esafe.com
  • 127.0.0.22 esafe.net
  • 127.0.0.22 esafe.org
  • 127.0.0.22 europe.f-secure.com
  • 127.0.0.22 europe.f-secure.net
  • 127.0.0.22 europe.f-secure.org
  • 127.0.0.22 f-secure.com
  • 127.0.0.22 f-secure.net
  • 127.0.0.22 f-secure.org
  • 127.0.0.22 fajarweb.com
  • 127.0.0.22 fajarweb.net
  • 127.0.0.22 fajarweb.org
  • 127.0.0.22 forum.vaksin.com
  • 127.0.0.22 forum.vaksin.net
  • 127.0.0.22 forum.vaksin.org
  • 127.0.0.22 free-av.com
  • 127.0.0.22 free-av.net
  • 127.0.0.22 free-av.org
  • 127.0.0.22 grisoft.com
  • 127.0.0.22 grisoft.net
  • 127.0.0.22 grisoft.org
  • 127.0.0.22 icubed.com
  • 127.0.0.22 icubed.net
  • 127.0.0.22 icubed.org
  • 127.0.0.22 infokomputer.com
  • 127.0.0.22 infokomputer.net
  • 127.0.0.22 infokomputer.org
  • 127.0.0.22 it.trendmicro-europe.com
  • 127.0.0.22 it.trendmicro-europe.net
  • 127.0.0.22 it.trendmicro-europe.org
  • 127.0.0.22 jasakom.com
  • 127.0.0.22 jasakom.net
  • 127.0.0.22 jasakom.org
  • 127.0.0.22 jeruk.padinet.com
  • 127.0.0.22 jeruk.padinet.net
  • 127.0.0.22 jeruk.padinet.org
  • 127.0.0.22 kaskus.com
  • 127.0.0.22 kaskus.net
  • 127.0.0.22 kaskus.org
  • 127.0.0.22 kaspersky-labs.com
  • 127.0.0.22 kaspersky-labs.net
  • 127.0.0.22 kaspersky-labs.org
  • 127.0.0.22 kaspersky.com
  • 127.0.0.22 kaspersky.net
  • 127.0.0.22 kaspersky.org
  • 127.0.0.22 liveupdate.symantec.com
  • 127.0.0.22 liveupdate.symantec.net
  • 127.0.0.22 liveupdate.symantec.org
  • 127.0.0.22 liveupdate.symantecliveupdate.com
  • 127.0.0.22 liveupdate.symantecliveupdate.net
  • 127.0.0.22 liveupdate.symantecliveupdate.org
  • 127.0.0.22 mcafee.com
  • 127.0.0.22 mcafee.net
  • 127.0.0.22 mcafee.org
  • 127.0.0.22 mcafeeb2b.com
  • 127.0.0.22 mcafeeb2b.net
  • 127.0.0.22 mcafeeb2b.org
  • 127.0.0.22 mcafeesecurity.com
  • 127.0.0.22 mcafeesecurity.net
  • 127.0.0.22 mcafeesecurity.org
  • 127.0.0.22 nai.com
  • 127.0.0.22 nai.net
  • 127.0.0.22 nai.org
  • 127.0.0.22 norman.com
  • 127.0.0.22 norman.net
  • 127.0.0.22 norman.org
  • 127.0.0.22 norton.com
  • 127.0.0.22 norton.net
  • 127.0.0.22 norton.org
  • 127.0.0.22 ontrack.com
  • 127.0.0.22 ontrack.net
  • 127.0.0.22 ontrack.org
  • 127.0.0.22 padinet.com
  • 127.0.0.22 padinet.net
  • 127.0.0.22 padinet.org
  • 127.0.0.22 pandasoftware.com
  • 127.0.0.22 pandasoftware.net
  • 127.0.0.22 pandasoftware.org
  • 127.0.0.22 perantivirus.com
  • 127.0.0.22 perantivirus.net
  • 127.0.0.22 perantivirus.org
  • 127.0.0.22 playboy.com
  • 127.0.0.22 playboy.net
  • 127.0.0.22 playboy.org
  • 127.0.0.22 pornstargals.com
  • 127.0.0.22 pornstargals.net
  • 127.0.0.22 pornstargals.org
  • 127.0.0.22 sands.com
  • 127.0.0.22 sands.net
  • 127.0.0.22 sands.org
  • 127.0.0.22 sarc.com
  • 127.0.0.22 sarc.net
  • 127.0.0.22 sarc.org
  • 127.0.0.22 secunia.com
  • 127.0.0.22 secunia.net
  • 127.0.0.22 secunia.org
  • 127.0.0.22 securityresponse.symantec.com
  • 127.0.0.22 securityresponse.symantec.net
  • 127.0.0.22 securityresponse.symantec.org
  • 127.0.0.22 sex-mission.com
  • 127.0.0.22 sex-mission.net
  • 127.0.0.22 sex-mission.org
  • 127.0.0.22 sophos.com
  • 127.0.0.22 sophos.net
  • 127.0.0.22 sophos.org
  • 127.0.0.22 symantec.com
  • 127.0.0.22 symantec.net
  • 127.0.0.22 symantec.org
  • 127.0.0.22 trendmicro-europe.com
  • 127.0.0.22 trendmicro-europe.net
  • 127.0.0.22 trendmicro-europe.org
  • 127.0.0.22 trendmicro.com
  • 127.0.0.22 trendmicro.net
  • 127.0.0.22 trendmicro.org
  • 127.0.0.22 update.symantec.com
  • 127.0.0.22 update.symantec.net
  • 127.0.0.22 update.symantec.org
  • 127.0.0.22 vaksin.com
  • 127.0.0.22 vaksin.net
  • 127.0.0.22 vaksin.org
  • 127.0.0.22 vil.nai.com
  • 127.0.0.22 vil.nai.net
  • 127.0.0.22 vil.nai.org
  • 127.0.0.22 virustotal.com
  • 127.0.0.22 virustotal.net
  • 127.0.0.22 virustotal.org
  • 127.0.0.22 winantivirus.com
  • 127.0.0.22 winantivirus.net
  • 127.0.0.22 winantivirus.org
  • 127.0.0.22 www.17tahun.com
  • 127.0.0.22 www.17tahun.net
  • 127.0.0.22 www.17tahun.org
  • 127.0.0.22 www.ae.trendmicro-europe.com
  • 127.0.0.22 www.ae.trendmicro-europe.net
  • 127.0.0.22 www.ae.trendmicro-europe.org
  • 127.0.0.22 www.anti-virus.com
  • 127.0.0.22 www.anti-virus.net
  • 127.0.0.22 www.anti-virus.org
  • 127.0.0.22 www.antivirus.com
  • 127.0.0.22 www.antivirus.net
  • 127.0.0.22 www.antivirus.org
  • 127.0.0.22 www.backup.grisoft.com
  • 127.0.0.22 www.backup.grisoft.net
  • 127.0.0.22 www.backup.grisoft.org
  • 127.0.0.22 www.bhs.com
  • 127.0.0.22 www.bhs.net
  • 127.0.0.22 www.bhs.org
  • 127.0.0.22 www.blog.compactbyte.com
  • 127.0.0.22 www.blog.compactbyte.net
  • 127.0.0.22 www.blog.compactbyte.org
  • 127.0.0.22 www.blogs.compactbyte.com
  • 127.0.0.22 www.blogs.compactbyte.net
  • 127.0.0.22 www.blogs.compactbyte.org
  • 127.0.0.22 www.ca.com
  • 127.0.0.22 www.ca.net
  • 127.0.0.22 www.ca.org
  • 127.0.0.22 www.castlecops.com
  • 127.0.0.22 www.castlecops.net
  • 127.0.0.22 www.castlecops.org
  • 127.0.0.22 www.cheyenne.com
  • 127.0.0.22 www.cheyenne.net
  • 127.0.0.22 www.cheyenne.org
  • 127.0.0.22 www.compactbyte.com
  • 127.0.0.22 www.compactbyte.net
  • 127.0.0.22 www.compactbyte.org
  • 127.0.0.22 www.datafellows.com
  • 127.0.0.22 www.datafellows.net
  • 127.0.0.22 www.datafellows.org
  • 127.0.0.22 www.download.mcafee.com
  • 127.0.0.22 www.download.mcafee.net
  • 127.0.0.22 www.download.mcafee.org
  • 127.0.0.22 www.downloads1.kaspersky-labs.com
  • 127.0.0.22 www.downloads1.kaspersky-labs.net
  • 127.0.0.22 www.downloads1.kaspersky-labs.org
  • 127.0.0.22 www.downloads2.kaspersky-labs.com
  • 127.0.0.22 www.downloads2.kaspersky-labs.net
  • 127.0.0.22 www.downloads2.kaspersky-labs.org
  • 127.0.0.22 www.downloads3.kaspersky-labs.com
  • 127.0.0.22 www.downloads3.kaspersky-labs.net
  • 127.0.0.22 www.downloads3.kaspersky-labs.org
  • 127.0.0.22 www.downloads4.kaspersky-labs.com
  • 127.0.0.22 www.downloads4.kaspersky-labs.net
  • 127.0.0.22 www.downloads4.kaspersky-labs.org
  • 127.0.0.22 www.esafe.com
  • 127.0.0.22 www.esafe.net
  • 127.0.0.22 www.esafe.org
  • 127.0.0.22 www.europe.f-secure.com
  • 127.0.0.22 www.europe.f-secure.net
  • 127.0.0.22 www.europe.f-secure.org
  • 127.0.0.22 www.f-secure.com
  • 127.0.0.22 www.f-secure.net
  • 127.0.0.22 www.f-secure.org
  • 127.0.0.22 www.fajarweb.com
  • 127.0.0.22 www.fajarweb.net
  • 127.0.0.22 www.fajarweb.org
  • 127.0.0.22 www.forum.vaksin.com
  • 127.0.0.22 www.forum.vaksin.net
  • 127.0.0.22 www.forum.vaksin.org
  • 127.0.0.22 www.free-av.com
  • 127.0.0.22 www.free-av.net
  • 127.0.0.22 www.free-av.org
  • 127.0.0.22 www.grisoft.com
  • 127.0.0.22 www.grisoft.net
  • 127.0.0.22 www.grisoft.org
  • 127.0.0.22 www.icubed.com
  • 127.0.0.22 www.icubed.net
  • 127.0.0.22 www.icubed.org
  • 127.0.0.22 www.infokomputer.com
  • 127.0.0.22 www.infokomputer.net
  • 127.0.0.22 www.infokomputer.org
  • 127.0.0.22 www.it.trendmicro-europe.com
  • 127.0.0.22 www.it.trendmicro-europe.net
  • 127.0.0.22 www.it.trendmicro-europe.org
  • 127.0.0.22 www.jasakom.com
  • 127.0.0.22 www.jasakom.net
  • 127.0.0.22 www.jasakom.org
  • 127.0.0.22 www.jeruk.padinet.com
  • 127.0.0.22 www.jeruk.padinet.net
  • 127.0.0.22 www.jeruk.padinet.org
  • 127.0.0.22 www.kaskus.com
  • 127.0.0.22 www.kaskus.net
  • 127.0.0.22 www.kaskus.org
  • 127.0.0.22 www.kaspersky-labs.com
  • 127.0.0.22 www.kaspersky-labs.net
  • 127.0.0.22 www.kaspersky-labs.org
  • 127.0.0.22 www.kaspersky.com
  • 127.0.0.22 www.kaspersky.net
  • 127.0.0.22 www.kaspersky.org
  • 127.0.0.22 www.liveupdate.symantec.com
  • 127.0.0.22 www.liveupdate.symantec.net
  • 127.0.0.22 www.liveupdate.symantec.org
  • 127.0.0.22 www.liveupdate.symantecliveupdate.com
  • 127.0.0.22 www.liveupdate.symantecliveupdate.net
  • 127.0.0.22 www.liveupdate.symantecliveupdate.org
  • 127.0.0.22 www.mcafee.com
  • 127.0.0.22 www.mcafee.net
  • 127.0.0.22 www.mcafee.org
  • 127.0.0.22 www.mcafeeb2b.com
  • 127.0.0.22 www.mcafeeb2b.net
  • 127.0.0.22 www.mcafeeb2b.org
  • 127.0.0.22 www.mcafeesecurity.com
  • 127.0.0.22 www.mcafeesecurity.net
  • 127.0.0.22 www.mcafeesecurity.org
  • 127.0.0.22 www.nai.com
  • 127.0.0.22 www.nai.net
  • 127.0.0.22 www.nai.org
  • 127.0.0.22 www.norman.com
  • 127.0.0.22 www.norman.net
  • 127.0.0.22 www.norman.org
  • 127.0.0.22 www.norton.com
  • 127.0.0.22 www.norton.net
  • 127.0.0.22 www.norton.org
  • 127.0.0.22 www.ontrack.com
  • 127.0.0.22 www.ontrack.net
  • 127.0.0.22 www.ontrack.org
  • 127.0.0.22 www.padinet.com
  • 127.0.0.22 www.padinet.net
  • 127.0.0.22 www.padinet.org
  • 127.0.0.22 www.pandasoftware.com
  • 127.0.0.22 www.pandasoftware.net
  • 127.0.0.22 www.pandasoftware.org
  • 127.0.0.22 www.perantivirus.com
  • 127.0.0.22 www.perantivirus.net
  • 127.0.0.22 www.perantivirus.org
  • 127.0.0.22 www.playboy.com
  • 127.0.0.22 www.playboy.net
  • 127.0.0.22 www.playboy.org
  • 127.0.0.22 www.pornstargals.com
  • 127.0.0.22 www.pornstargals.net
  • 127.0.0.22 www.pornstargals.org
  • 127.0.0.22 www.sands.com
  • 127.0.0.22 www.sands.net
  • 127.0.0.22 www.sands.org
  • 127.0.0.22 www.sarc.com
  • 127.0.0.22 www.sarc.net
  • 127.0.0.22 www.sarc.org
  • 127.0.0.22 www.secunia.com
  • 127.0.0.22 www.secunia.net
  • 127.0.0.22 www.secunia.org
  • 127.0.0.22 www.securityresponse.symantec.com
  • 127.0.0.22 www.securityresponse.symantec.net
  • 127.0.0.22 www.securityresponse.symantec.org
  • 127.0.0.22 www.sex-mission.com
  • 127.0.0.22 www.sex-mission.net
  • 127.0.0.22 www.sex-mission.org
  • 127.0.0.22 www.sophos.com
  • 127.0.0.22 www.sophos.net
  • 127.0.0.22 www.sophos.org
  • 127.0.0.22 www.symantec.com
  • 127.0.0.22 www.symantec.net
  • 127.0.0.22 www.symantec.org
  • 127.0.0.22 www.trendmicro-europe.com
  • 127.0.0.22 www.trendmicro-europe.net
  • 127.0.0.22 www.trendmicro-europe.org
  • 127.0.0.22 www.trendmicro.com
  • 127.0.0.22 www.trendmicro.net
  • 127.0.0.22 www.trendmicro.org
  • 127.0.0.22 www.update.symantec.com
  • 127.0.0.22 www.update.symantec.net
  • 127.0.0.22 www.update.symantec.org
  • 127.0.0.22 www.vaksin.com
  • 127.0.0.22 www.vaksin.net
  • 127.0.0.22 www.vaksin.org
  • 127.0.0.22 www.vil.nai.com
  • 127.0.0.22 www.vil.nai.net
  • 127.0.0.22 www.vil.nai.org
  • 127.0.0.22 www.virustotal.com
  • 127.0.0.22 www.virustotal.net
  • 127.0.0.22 www.virustotal.org
  • 127.0.0.22 www.winantivirus.com
  • 127.0.0.22 www.winantivirus.net
  • 127.0.0.22 www.winantivirus.org
  • #JowoBot-CrackHost
  • #JowoBot-VM Community

Other Details

This worm connects to the following possibly malicious URL:

  • http://www.{BLOCKED}ee.org/Arts/bddwyrk/inf22.css
  • http://{BLOCKED}ng.com/WS1/cgi/x.cgi?NAVG=Tracker&username=dudxwd