Brontok is very medium risk, but make stanger program on our compter.
i have triks & tip to remove BRONTOK, you can try like this:
For first time you must make cleaning your regedit file :
- regedit : hkcu\microsoft\currentversion\run
- windows\ <---- remove file direktory (on regedit)
- finishing : scan with New Update antivirus (last update)
you can checking again and try to make flashdisk again(coz brontok can make generate via command file system standart drive) , if you get folder( with extention *.exe) you still have BRONTOK from your PC. & you must try with others antivirus
i hope, this will help you
thank you
Yudhax
remove brontok
Programming the ability of Brontok
Brontok manufacturer has the ability programming is low enough (will not be passed on the course where I became the FY-it). Some of ignorance that made the manufacturer Brontok: 1. Errors in the code, for example, forget the variables that are accumulated in the loop. 2. Doing odd, for instance, read the entire contents of a file to retrieve only the line suddenly. 3. Is not consistent in the type of hell. 4. Not too understand the pass by value or by reference, often copying the parameter to the local variables to be processed. 5. Not too understand the Win32 API, so that the patchwork, sometimes called external programs, sometimes using the Windows API. Chance manufacturer Brontok this much copying and pasting code from the Internet, so that the results of bad code. In addition, it looks like the ability to speak English is not good brontok manufacturer, so it only can write a message in the language morale even though the domain has been detected among the local foreign domain. The only advantages that are owned by the Brontok is ketekunannya to always update brontok each time found a way to remove himself. Conclusion Creator Brontok is not likely ITB students Technical Information (but may be from ITB), their ability is low enough, people may be Java / East (many from the use of string in the Java language, this is not menyudutkan tribe, my people are also central Java). Further investigation may find the right who make Brontok. Creator Brontok can only enter Brontok first to the ITB, because of access WIFI some point, which is open at the ITB. Several other universities, such as UNJ also have WIFI access point and the open public. Creator Brontok is enough "good" as local viruses delete the other, but rather how penghapusannya "brutal" and delete files you may be valuable. Examples of the case such as this: some people like to create self-Extracting zip file, a zip file that was changed to exe programs that do not need WinZip or for such untarred, this is usually sent to colleagues who have older versions of Windows and may not have a Zip Extractor (Windows new mengekstraksi can zip files automatically). EXE file is extremely vulnerable erased by Brontok if the name contains certain substring. Perhaps only 1 in 10,000 people who have cases like this, but it means Brontok damage for one man. "Then the hearts" Brontok manufacturer to remove other viruses is likely only to be done to make menaik popularity among the creators of viruses, and such promise, he wants other local manufacturer virus "sprawl". Is antivirus software manufacturer involved in this case? I can not give certain answers. Brontok initial version is easy to understand and demolished (so there is a possibility they hide the facts about the URL update Brontok), but the next version Brontok already complex enough, and there is a possibility they do not understand the encryption algorithms Brontok. If not stopped, the manufacturer may brontok this will create a worm / virus more dangerous for the show kehebatannya kebodohannya. It seems to this creator of the virus still feel safe-safe because it does not feel any instructions that led to it. Advice for the virus maker wannabes First, for those who have never created a virus and is often condemn the virus creator, you need to know: Making the virus is sometimes enjoyable and educational. I once (1999) to create a virus that I am not as (I save the situation and not be encrypted, so it may not accidentally run, the virus also virusnya DOS, it will not be any menginfeksi now). Creation of a virus that has taught me things that are not taught the lessons algorithm and Programming, Computer Architecture, Operating System, and Otomata (my virus is written in assembly and polymorphic, so there is a formal theory as well). My advice to the virus or virus creator of the candidates: 1. Do not create viruses that damage. 2. Do not you as a virus (be sure to make this code so that the virus does not run on computers other than your computer) 3. Do not just make a virus that stupid, eksplorasilah techniques such as advanced stealth techniques, polymorhic, etc.. 4. You write the results of exploration, a U.S. magazine virus (electronic version of the magazine, check out the magazine 29A of the virus only exploring the techniques of viruses, but do not make the virus spread, they can make the virus a thousand times more powerful than the Brontok). 5. Pipe talent and your ability to other things. Think about this: you think it is great to create viruses that spread and damage. Examples of things that are great in the student toki (Tim Computer Olympics) to fight with the nation they create programs that solve complex problems. Another example is great if you explore the creation of a virus, does not disseminate, and you generate a better antivirus virus to others. Advice for hacker wannabes Being a white hat takes time, and not the result of a short training or certification, so you are really interested in the security, study diligently and with care. If you understand something less, Please do not make the analysis exotic that they can be misleading or community. Sample analysis is misleading: he said the virus does not send itself to a domain server, for example, are now receiving the file and believe it is not a virus because the domain is. Ac.id, then that person can be infected. Sample analysis that they are that the virus only because of the ITB 17:08 WIB hour schedule, which means that the restriction on the internet ITB has been revoked on the clock (start precisely 17:00), but there is not a view that 17:08 may be selected as the day symbolizing the proclamation? . | ||
Indonesian English Translate |
Brontok cleaning
Brontok may still be in the update, so I will give instructions and cleaning Brontok is not a antibrontok. Note that the steps detailed here may not be exactly the same deal for Brontok, because the file names may change.
If you are not sure, replace all the steps become clear steps to move the file directory certain.
1. Turn off the system restore features in Windows.
2. Close all programs that are running, save all your documents.
3. First, kill the process Brontok (the process is a program that is running).
You can use Process Explorer from sysinternals.com, one of the programs that are not imaginable by the Brontok (other similar programs will cause the computer restarts. Perhaps only in the next version of the program Brontok Process Explorer will also lead to restart the computer if run). Services.exe kill the process, lsass.exe, smss.exe, and winlogon.exe.
* Another way is to utilize the program KillVB I have made, the program will kill all the processes that executablenya written in VB (not only viruses). Simply download, extract, and run the file. Virus will die in the memory after you run the program and you can continue the process of cleaning your computer (no need to restart or log in safe mode).
Killvb action program
killvb kill the process running the Visual Basic.
4. At the start menu, select programs, and select the startup Click the right (not the one with a left-click) on Empty.pif, and delete the file. (If necessary, remove all the files that you do not need, in the future may file name will be changed Empty.pif.)
5. Fix registry to create the file fixbrontok.inf listed below, and then right click on the file and choose to install (you can download the file here). This file will change the settings to improve by Brontok, and will set Explorer to show hidden files and display the file extension is also known by the Explorer.
6.
[Version]
Signature = "$ $ Chicago"
Provider = Compactbyte
[DefaultInstall]
AddReg = fix
DelReg = del
[fix]
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, Hidden,% REG_DWORD%, 1
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, HideFileExt,% REG_DWORD%, 0
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, ShowSuperHidden,% REG_DWORD%, 0
HKLM, Software \ CLASSES \ batfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ comfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ exefile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ piffile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ regfile \ shell \ open \ command, "regedit.exe"% 1 ""
HKLM, Software \ CLASSES \ scrfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, "Explorer.exe"
[del]
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Run, Tok-Cirrhatus
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, Bron-Spizaetus
HKLM, SYSTEM \ CurrentContolSet \ Control \ SafeBoot, AlternateShell
HKLM, SYSTEM \ ContolSet001 \ Control \ SafeBoot, AlternateShell
HKLM, SYSTEM \ ContolSet002 \ Control \ SafeBoot, AlternateShell
HKLM, SYSTEM \ ContolSet003 \ Control \ SafeBoot, AlternateShell
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableCMD
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableRegistryTools
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoFolderOptions
[Strings]
REG_DWORD = 0x00010001
7. For the next step, to ensure whether the object with a folder icon is actually a folder, do one of the following steps:
* Use the detail view (in Explorer, select the menu view, and details). See whether the object type in the folder or application. Do not click on the folder icon with the application.
* Restart explorer (without restart Windows), how to do: run the task manager by pressing ctrl-alt-del, select the Processes, and select explorer.exe and select End Process. Select "Yes", then go to the Application tab, select New Task, type Explorer.exe, and press enter.
8. Delete all the files. Exe files in the% windir% \ shellnew (% windir% is your Windows directory, for example, C: \ Windows). You must remove the right of the folder icons have, but should not this directory contains the files. Exe and usually all exe files in the directory is safe in the clear.
9. Clean the rest of the registry was formed with the random string, use the msconfig (select Start, type msconfig and Enter), and see the startup tab, remove the startup items with the name begins with the name and bbm brxxxon (xxxx is a random number). Once again: the name of this may soon change. The best way is to see the command (second column), for example, listed C: \ Windows \ X.exe, see the file C: \ Windows \ X.exe, if the file has a folder icon you can delete them.
Display MSConfig
Display msconfig.
10. Search all files. Exe and. Britain in the drive all the features you find in the Explorer and delete the file if the file has a folder icon. To reduce the number of files that restrict the size of the files found to be <90 kb (old version of about 82 kb, a new version about 43 kb). Sort by file size to simplify the process of elimination. Note also that you find files that are hidden For more details, see the following picture.
Setting the correct search
Setting the correct search.
11. Delete all the files. Com with the same size Brontok size that you find in the previous step-in C: \ Documents and Settings \% username% \ Templates.
12. Remove Scheduled task in the Control panel that does not belong to you (the name At1, At2, etc.).
Display Scheduled tasks Windows XP
Display Scheduled tasks in Windows XP.
13. If you use Windows 95, Windows 98, ME or Windows, see the contents of the autoexec.bat file in the root folder (C: \ autoexec.bat, D: \ autoexec.bat, etc.), if the content is only one line (one the word "pause"). Remove autoexec.bat.
14. Restart the computer, and see whether there is Brontok.
Brontok Update
The first version to update itself from Brontok: http://www.geocities.com/jowobot123/, I ask the log to GeoCities, but even that site is closed. Research does not proceed to the first version Brontok. Brontok download files from sites that BrontokInf3.txt, and the content is processed (but details are not my analysis).
The latest version of the URL using a random fact, this is similar to the case of Sober Worm use random URLs. URL random on the Sober Worm is also used to update itself (actually the downloaded file is not always need to update brontok, the contents can also code is vandal).
The latest version of the sites downloading from one of the following URL, with a random file name:
http://www.20mbweb.com/Kids/dbrosji/
http://www.20mbweb.com/Kids/dbrolro/
http://www.20mbweb.com/Kids/dbrotlu/
http://www.20mbweb.com/Kids/dbrotppt/
http://www.20mbweb.com/Kids/dbrolma/
But while this site 20mbweb.com (read: 20mb web) will be used, like a free site is closed (kacian It's like asking Brontok, it does create algorithms that ribet update Brontok k).
URL above is also a source for downloading files Host [N]. Css with N is the version brontok. When brontok active, brontok will select a random URL, and will use the URL.
Here's algorithm update Brontok:
1. Brontok generate a random URL (one of the URL above).
2. Brontok create a URL with the increase IN.18.css (18 version is currently Brontok that I have).
3. Brontok download URL in the previous step into files (Update.Bron.Tok.bin) that the content is a list of files that are deleted, Brontok size of the new prefix and a new URL (called the Z).
4. Brontok delete files that are listed in the results of the download, create a file szbro [N]. Txt, which is the size of the contents of the new Brontok (N is the current version Brontok).
5. Brontok will produce string X minutes from now. Brontok formed from the string array (lon, UTS, AUD, Aug, TPE, AML, MNE, HJT, PLD, LBS). Note that it is actually zero, STU, TWO, TGA, etc. behind. So 15 minutes will produce string UTSAML (UTS = 1, AML = 5). If the minutes <10, the additional minutes were given zero particle to become two digits.
6. Brontok form of the URL string on the Z added. Ico (this exe files Brontok new)
7. Brontok download the file and ensure size between 43,000 to 49,000 (exclusive) bytes, and compares with the size of the files on szbro [N]. Txt. If the file terlallu large or small, or not with the same contents szbro [N]. Txt Brontok will then cancel the update process.
8. Brontok download exe files to be named the new Update.AN. [N]. A.Bron.Tok.exe.
9. Brontok copy Update.AN. [N]. A.Bron.Tok.exe become A.Bron.Tok.tempo.exe, and delete files Update.AN. [N]. A.Bron.Tok.exe.
10. Brontok executing the file A.Bron.Tok.tempo.exe.
Brontok also download a file from the same site (with the file name Bron-ID.xxx.css, with xxx is the value generated algoritmik), the file contents into the email sent to other people, this method also be updated virus (because email content can be replaced by the brontok).
The development of version Brontok
Because I only have the initial version and the final version, I can not make a comparison gradually, but the importance of this development:
Final version of the initial version
Using VB6, compiled a PCode. Easy to dismantle at. Using VB6, is compiled into native code. More difficult to be demolished.
EXE "naked". The size of about 80 Kb. EXE dipack Mew with 11.2. The size of about 40 Kb.
Key Registry remains, to use the file. Inf file to finalize registry. Key Registry is variable, so the need to manually clean.
No running in safe mode. Running in safe mode.
Download the update from the URL fixed. The downloaded file is not checked. Download the update from the URL changed, with inspection of the downloaded file.
Using the most constant string. Using many of the string-split to reduce the constant.
Encryption simple. Encryption more serpentine.
The name of the file remains. Make various kinds of files, some of which are fixed and there is a random (based on the time activation brontok).
Encryption in Brontok
So that the contents of the string Brontok not easily visible, the String Brontok encrypted. The first version utilizing a very weak encryption, which is shifting as much as 3 letter (A becomes D, B becomes E, etc.) This is a very easy way dijebol because the encryption is the ancient existing since the days of Julius Caesar (also called encryption is the Caesar Chiper), but the latest version using monoalphabetic substitution chiper, even substitution is done twice.
Brontok use a little kink in the encrypt and decrypt the stringnya, decryption procedures in the Brontok I have simplified the C can be seen in the listing below. (The original procedure more involved because the table is created on-the-fly at runtime alias with a special procedure with many loop).
Characteristics Brontok
I will not give lengthy explanations about the characteristics Brontok, because this section is discussed at many sites. In short, Brontok characteristics are: 1. Brontok use the standard Windows folder icon, you use the theme strange / nonstandar will see a rarity this icon. 2. Brontok make many changes in the registry so difficult to clean (disable the registry editor, remove the folder menu options, etc.). Rather, Brontok to make changes in the value of the subkey: * HKCU \ Software \ Microsoft \ Windows \ currentversion \ run o Value-Tok Cirrhatus a path to Brontok. o Value-Cirrhatus Tok-XXX (xxx is a random) into the path to the name Brontok also random. * HKLM \ Software \ Microsoft \ Windows \ currentversion \ run o Value Bron-Spizaetus a path to Brontok. o Value Bron-Spizaetus-xxx (xxx is a random) into the path to Brontok. * HKCU \ Software \ Microsoft \ Windows \ currentversion \ Policies \ Explorer \ o Value NoFolderOptions to 1. * HKCU \ Software \ Microsoft \ Windows \ currentversion \ Policies \ System \ o Value DisableCMD to 0. o DisableRegistryTools value to 1. * HKCU \ Software \ Microsoft \ Windows \ currentversion \ explorer \ advanced o Hidden Value to 0. o Value HideFileExt to 1. o Value ShowSuperHidden to 0. * SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon o Value of a Shell Explorer.exe "c: \ windows \ xxx.exe-food". (xxx is a random) * SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ o Value AlternateShell into cmd-bro-xxx.exe (xxx is a random). Caution: it Windows will automatically copy all the contents in the key HKLM, SYSTEM \ CurrentContolSet \ Control \ SafeBoot to HKLM, SYSTEM \ ContolSet00X \ Control \ SafeBoot X (from 1-2) restart the process if done successfully (or if the computer is turned off and computer starts up again). 3. Brontok mar many copies of the directory itself. 4. Brontok override the autoexec.bat line with a "pause", may mean to stop the antivirus software running in DOS mode, which is run by autoexec.bat. 5. Brontok make a lot of startup items that run when the computer starts (in the start menu and in various places in the registry). This applies also in safe mode (Attention attention, which is "SAFE MODE" not "SAVEMODE"). 6. Brontok to update itself from a particular URL, this is exactly Brontok download exe files from certain sites and mengeksekusinya (can not update the content brontok, but the code to format the entire computer). Discussion in the next section in this article. 7. Brontok use encryption to hide the string-string in himself. Encryption Brontok also discussed in this article. 8. Brontok submit himself to an email address that finding, if the address does not contain the following string (meaning brontok will not submit himself to Microsoft, the company's antivirus software, etc.): SECURE, SUPPORT, MASTER, MICROSOFT, Closer, HACK, CRACK, LINUX, AVG, GRISOFT, CILLIN, SECURITY, Symantec, Associate, VACCINE, NORTON, NORMAN, PANDA, SOFT, SPAM, BLAH. Vbs, DOMAIN, HIDDEN, DEMO, develop, FOO @, COMPUTER, SENIOR, DARK, BLACK, BLEEP, FEEDBACK, IBM., Intel., Macro, Adobe, Calumet Campus, recipient, SERVER, proxy, ZEND, ZDNET, CNET, DOWNLOADS, HP., XEROX, Canon, SERVICE, ARCHIEVE, Netscape, Mozilla, Opera, Novell, NEW LOTUS, Micro, TREND, Siemens, FUJITSU, NOKIA, W3., NVIDIA, apache, mysql, POSTGRE, SUN., Goo GLE, SPERSKY, ZOMBIE, ADMIN, AVIRA, AVAST, work, ESAVE, ESAFE, Protect, Aladdin, alerts, BUILDER, DATABASE , AHNLAB, PROLAND, ESCAN, HAURI, NOD32, SYBARI, antigens, R OBOT, ALWIL, BROWSE, COMPUSE, compute, SECUN, SPYW, REGIST, FREE, s, MATH, LAB, IEEE, KDE, TRACK, information, Fuji, @ MAC, SLACK, REDHA, Vancouver, Ghatkopar, XANDROS, @ ABC, @ 123, LO OKSMART, SYNDICAT, ELEKTRO, ELECTRO, NASA, Lucent, TELECOM, STUDIO, Sierra, USERNAME, IPTE K, CLICK, SALES, PROMO,. CA.COM There is little difference in the email if an email sent to the address with the following substring ( "server address"): Plasa; TELKOM; INDO;. CO.ID;. GO.ID;. MIL.ID;. SCH.ID;. NET.ID;. OR.ID;. AC.ID;. WEB.ID;. WAR.NET.ID; ASTAGA; GAUL; CAN; EMAILKU; ONE. The difference in the original sender, if Indonesia goal for the sender if the non menjadi@boleh.com while "address Indonesia" menjadi@friendster.com the sender (in the initial version Brontok, memakai@kafegaul.com to Indonesia and the Philippines to address non-address @ pornstargals . com). (bodohnya content of the email remain the same, and use English in the content downloaded from the Internet). Caution: analysis of one of the many states that Brontok not submit himself to an email address in Indonesia. 9. Brontok try to get an email address with the victim parsing of HTML files,. Htm,. TXT,. EML,. WAB, and. PHP discovering (Brontok find all the files in a string xxx@yyy.zzz). 10. Brontok SMTP to connect directly when sending email, but do not use the MX records (Mail eXchanger record) a DNS domain. If Brontok to send alamat@yahoo.com, he will try to use SMTP server mta237.mail.re2.yahoo.com, whereas if the domain to search for other Brontok MX / SMTP server by adding prefix smtp., Mail. or ns1. in the mail domain. 11. Brontok Create a file that the contents of all people to stop crime (bla bla bla, please read on other sites if you are curious about the contents). 12. Brontok restart the computer when a particular program is active. The program checks to see done with the program window to the text string: Registry, SYSTEM CONFIGURATION, command prompt. EXE, shut down, SCRIPT HOST, LOG OFF Windows, KILLBOX, TASK, two of the last new string added to the program, which can kill Brontok task, for example, the program HijakThis. 13. Brontok schedule himself to run at certain hours. Brontok schedule an early version of himself only at 17:08, but the new version also schedule an execution at 11:03 (both scheduled every day). 14. Brontok share in trying to access the local network also menginfeksinya and. 15. Brontok have a string: By: HVM31 - Jowobot # VM Community - (Note the word VM / Virus makes this community, it may HVM31 have friends who know about this). 16. Brontok version of the old attack (DDOS mean you want to do / Distributed Denial of Service Attack) and the site 17tahun.com israel.gov.il with ping, while the new version of HTTP Get to attack www.17tahun.com, www.kaskus.com, and www.fajarweb.com. 17. Brontok make debuging.com counter at the site, the URL: http://debuging.com/WS1/cgi/x.cgi?NAVG=Tracker&username =% 64% 65% 6C% 62% 65% 6C% 62% 72% 6F ( usernamenya is delbelbro). I have not contact the owner of the site. Counter increased the value of each finished attack sites in the list (www.17tahun.com, www.kaskus.com, and www.fajarweb.com). 18. Brontok create files in the directory sistem.sys% windir% / system32/sistem.sis contents of the code is the time when the active brontok the first time. This code consists of 2 digits month, 2-digit date, 2-digit hours and 2 minutes digits. Ex: 01122245 means Brontok active in the first 01 = January, 17 = 17, 22 = 1 malamm, 45 = minutes to 45. This file is also dicopykan to the directory \ Documents and Settings \ Username \ Application Data \ with the file name is BronMes *. (* part can vary). 19. Brontok force will try to kill some process (the process is running the program) with the command taskkill / f / im namaproses. The process includes the killed virus / worm another local, and some antivirus software. Precisely the process that is killed mcvsescn.exe; poproxy.exe; avgemc.exe; ccapps.exe; tskmgr.exe; syslove.exe; xpshare.exe; riyani_jangkaru.exe; systray.exe; ashmaisv.exe; aswupdsv.exe; nvcoas . exe; cclaw.exe; njeeves.exe; nipsvc.exe; dkernel.exe; iexplorer.exe; lexplorer.exe. 20. Brontok will change the file attributes MSVBVM60.DLL in the Windows system directory. Attribute files will be converted into a hidden, system, and read only. Goals this step is more difficult to remove files from msvbvm60.dll DOS mode, as discussed in several websites. 21. Brontok will download a file from a URL random (see the update Brontok) and try to overwrite the file% windir% \ system32 \ drivers \ etc \ hosts file with the didownloadnya. 22. If Brontok find the file. DOC,. PDF. XLS, and. PPT attributnya will then be returned to normal, the nature of this seems to be done to restore the documents hidden (be hidden) by other viruses. 23. Brontok try to delete a file with the substring "nostalgic", * RORO *. HTT, FOLDER.HTT. If the file extension is. EXE, then Brontok will also delete the file if the file has a name substring. DOC.EXE;. DOC;. XLS.EXE;. XLS; PATAH; stuff; stay; LUCU; MOVZX; love; for; DATA about; RIYANI; JANGKARU; KANGEN; JROX; DIARY; DKERNEL; IEXPLORER; LEXPLORER; ADULTONLY; ASIAN; VIRTUAL GIRL; X-PHOTOS; BESTMODEL; GAME Two people; HOT SCREEN; HOTBABE; NAKED; MODEL VG; SEXY; V-GIRL7; JAPANESEGIRL; POEM (note that Brontok not remove. DOC, but. DOC followed by a space and with the extension. EXE, as well as with. XLS). 24. Brontok also delete the file: C: \! Submit \ winword.exe, c: \ submit \ xpshare.exe, c: \ windows \ systray.exe,% windir% \ systray.exe,% windir% \ fonts \ tskmgr.exe , C: \ windows \ rundll32.exe. There are still some files again removed Brontok this (I did not continue the analysis of the deletion until the file here). |
The approach to the analysis Brontok
This section is very technical and could be in-skip.
I'm not doing Black box analysis (because it has too many people who do so with the conclusion that rather inconsequential), but direct downloading disassemble Brontok. Brontok version first compiled into p-code (such as the Java bytecode) and is easy to understand. Brontok a new version using native code, so the more difficult analysis. The first version of the analysis will not be discussed.
Before I explain the process of analysis, I need to tell that has a copy brontok several different names before being processed (debug, disassemble, etc.) by different programs. Copying the goal is to make it safe for me (not to accidentally run exe files), and safe from the mistakes that the program may change Brontok a copy of which I have.
Brontok EXE file is encrypted with a program that must Mew didekrip / extract UnMeW use, but this causes the file structure changed and cause the program to analyze the executable Visual Basic, for example, Race, can not recognize again that the file is hell. Fortunately one of the tools to help analyze the files named VBDE the hell can you still little information from the file.
VBDE act
VBDE used to obtain basic information files VB
Because the files using native code, disassembler is the best IDA Pro (I use a freeware version), with the IDA Pro I can see quite a lot of things in Brontok. IDA Pro, but unfortunately can not see VTABLE Visual Basic (table method, this is very important in the program code that is compiled from a language which uses the object), and the only one the easiest way is to run Brontok.
Brontok before the first run, binary Brontok need to edit the timer to turn off (the time to 0 to set the timer never executed). Editing is done by using a Hex Editor (I use that Hexplorer free), and this requires a little guesswork to succeed. Brontok major part in the timer, so off with a timer, Brontok can be analyzed with the safe (but still dangerous).
Display Hex Editor to open when brontok
Facts and notes
Some statements in this article may be a certain prejudice, by because I want to tell you some facts about myself: 1. Currently I am not a Windows user again, although I still have a Windows partition that I use for purposes such as this (analysis of the virus, try, try and Windows programs). I do not store data in Windows, so a kind of experiment is safe enough for me. Everyday I use Mac OS X on my iBook G4, and GNU / Linux (Fedora Core 4) on AMD64. Because not a Windows user, my little knowledge may be behind in terms of applications in Windows, but low-level technical knowledge of Windows I always update. 2. Currently I do not work in the security business or have business-related security. Any statement on my other business entities are not intended to benefit myself. My job is a teaching assistant at the Department of Information Engineering School of Electrical and Information (first part of the Faculty of Industrial Technology) Bandung Institute of Technology. 3. I am not a cracker, I'm not the people from both groups of virus creators groups outside the country and Indonesia. 4. I only have the older version Brontok (Brontok sample taken from a lab at ITB), and the latest version (Brontok sample taken from the Jakarta State University / UNJ), a version of which I do not have. 5. I do not include the URL various tools that I use, because the URL for the tools that can help the process of cracking usually always shifting, use Google to search tools, tools that I mentioned. 6. I do not make antivirus software for Brontok this, please use your existing antivirus software (I do not want to take pains to update the antivirus Brontok always updated, many antibrontok on the Internet is no longer able to detect, delete, or Brontok handle the new version) . The antivirus software on the market with the latest update should have been enough. However, if this Brontok increasingly difficult diberantas, I will make antivirus software for special Brontok. However, I provide cleaning Brontok step manual for the various generic versions Brontok at this time. Analysis of how the virus made? There are three ways to analyze the virus, the first black box, namely to see the behavior of the virus in a particular environment, analyze the content of the virus with the disassembly, and the third is to see the way the virus with a debugger. Unfortunately, most people can only make analysis of how the first and second how little, but not comprehensively. Black box analysis Some programs are available to see the difference in state computers before and after the program started (including before and after the virus starts). I do not believe with this kind of program, but programs like this can show files what made the virus, and registry changes made by the virus. This is not easy but powerful, because the virus may behave strange every Wednesday while you test in Tuesday. The program may also be used to record the state system is not perfect, so there are changes that are not recorded, and there is the possibility the virus remaining after the analysis process is completed. If the virus is quite sophisticated and can detect the existence of the program pemonitor, the virus can make the situation different from the ordinary. Disassembly and dekompilasi Program in a certain language (usually compiled and diinterpretasi at once, such as Java or C #) can didekompilasi easily, meaning "language engine" that is on the exe files can be returned into the source code, but the program in another language can not be returned into the source code, can only be assembly language. Assembly language are very low level (very close to the engine) so difficult to understand except with patience and a lot of training (usually with the help of a debugger as well). Not many people want and can do it, but it is done every day to make a cracker serial number generator, and mengcrack various programs (programs that would be used by many people now is the paper cracker). Seeing the way the virus with a debugger Debugger can be used to run a virus in the environment that can be monitored. Chronology of execution, including encryption virus can be learned easily. Country should be careful because the virus can only use the technique antidebug, running or not restrained. This analysis technique is usually combined with the disassembly. | ||
Indonesian English Translate |
Strange things around Brontok
Creator of the virus suspected Brontok from the Bandung Institute of Technology (ITB), but had no evidence about it except that the reports about the virus began to spread in the ITB. This update the virus itself from a site on the Internet, but really only one analysis, which states this. Even with the URL to know from where the virus is to update itself, we can do the following:
* Track who is the owner of the site, and in the case of free web site, certain parties (ISP administrators, etc.) can be asked to track people who register for the site or access the site the first time (most likely the creator of the virus).
* Administrators can block viruses in URLs update the level of proxy or firewall.
* With view the log, administrators can track the computer where the infected Brontok.
The only local analysis, which states that the virus update himself comes from an antivirus company, which formed a local partnership with an antivirus companies overseas. But even though the company is strange to know that the virus has to update himself, he did not mention the URL update the page, although I have a personal question via email. Does the company does not know the URL? (less versed in analyzing virusnya), or they accidentally let a virus that had the opportunity to update themselves and get the company speculate? (second possibility is the same mengkhawatirkannya).
The virus was not only able to update itself, but also download a list of files that need to be removed before the update is done, meaning that the virus was considered only exacerbate this fact also can be dangerous. And the actual file update virus it could not contain the new virus, but contains the code to format your computer.
Early versions of the virus only attacked the site and 17tahun.com israel.gov.il, but long-time start attacking other sites, such as www.kaskus.com, and even personal sites (blogs) as fajarweb.com, does personal revenge by the virus on this particular person?
Creator of the virus include these words in virusnya:
! They will Kubuat (VM's local sloppy & stupid) LINK!
And in the latest version Brontok, he had tried to delete filthy viruses such as local / decoy, mustache, Fawn, nostalgic, and riyani_jangkaru (my knowledge about the virus locally rather minimal, so this only dafar I know). Elimination of the virus part of local harmonized enough, with the task to kill the virus, delete the file viruses, and even menormalkan attribute file documents created by a hidden viruses other (but cleaning the registry is modified viruses do not do).
This article will make my seobjektif may, with the analysis that in and accurate. This article can be a correction at a time for information analysis Brontok in the content of other sites that are sometimes not accurate.
The virus is active in local mode "safe mode"
Nowadays the local spread of the virus have been increasingly rapidly, they compete in the race to create a virus variants so-barupun variants appear with a few modifications in the script that they be ready for the new variants attack anyone and at any time, despite the media of spreading used simple but still proved effective this by increasing the number of users who use the media diskette / USB. USB is now increasingly popular among the computer users because it is easy to take and have more capacity from the diskette and have a small size, with the trend like this apparently used by a small part of the media as a suitable and easy to spread the virus that they made, then born viruses local now that we know this.
The development of local viruses have been detected since long time since the virus Pesin, from there begins to appear viruses local Lavist A new, nostalgic, riyanni_jangkaru aau Tabaru, mustache, and Fawn yosa last Rontokbro, is part names that virus had local become a "scourge" in a few months ago, although most have antivirus software can recognize the virus but because of limited distribution dilingkungan certain if there are variants of the virus will be difficult to detect because of the processing should use antivirus software, which has the support of local support. From the many viruses that are local only 3 virus that successfully return to the Rontokbro, nostalgic and Fawn. But from 3 types of the virus was only able to provide Rontokbro the loss of large compared with that of other local virus.
Kelemah Safemode successfully Rontokbro known.
Rontokbro is the type of virus that can be the first local spread through email with a different virus another local that can only be spread through dikset / USB, Computers infected Rontokbro will restart this is the same as that done by the virus mustache and Sasser virus / Blaster, the difference between a computer Rontokbro infected will restart the program if you run a certain application, such as regedit, msconfig or task manager, up-date pacth that you do not bring any impact because the virus does not exploit this rift security as done by the Sasser / Blaster process is not restartnya raise the count backwards, as done by the virus Sasser / Blaster, one of the advantages of the virus into the computer where, although in a position "safe mode" restart the computer will still run the program if applications such as regedit, even when running msconfig tools such as pocket Killbox or HijackThis , Where we know if the computer running mode in "safe mode" that menginfeksi computer virus is not active, but not the case with Rontokbro a remarkable progress that the team apparently manufacturer Rontokbro already know that there is a point of weakness in the mode "safe mode", and why this is not used by the virus non-local they did not have the experience and knowledge that much more? Another thumbs up to the manufacturer Rontokbro.
Based on monitoring done by Vaksincom (www.vaksin.com) many users are infected with the virus Rontokbro, this is evidenced by the large number of users who consult with Vaksincom either through email, phone or forum Vaksincom http://forum.vaksin.com of the complaints some complained of their computer infected with the virus Rontokbro N variants of the virus which causes the computer will restart in the position despite "safe mode" even though, because the team Vaksincom try to give a few tricks and tips that can be used to overcome the virus Rontokbro especially for those who not to use Norman Virus Control, so can not identify with either variant).
Before the problem of how to do the cleaning Rontokbro way it's good to know in general what is done by Rontokbro.
Files infected Rontokbro.N have a size of 42kb, but with a folder icon with the extension EXE, if run will make some of the files is
1. C: \ Windows with the file name eksplorasi.exe (hidden)
2. C: \ Windows \ shellnew with the name sempalong.exe (hidden)
3. C: \ Windows \ system32% username with the name "s Setting.scr (hidden)
4. C: \ Documents and Settings \% user% \ Local Settings \ Application Data with the file name
- Bron.tok-x-y, where x and y figures show
- Loc.Mail.Bron.Tok, contains the email address obtained from the infected computer
- Ok-sendmail-Bron-noise, which contains the email sent successfully
- Csrss.exe
- Inetinfo.exe
- Kosong.Bron.Tok.txt
- Lsass.exe
- NetMailTmp.bin
- Services.exe
- Smss.exe
- Update.3.Bron.Tok.bin
- Winlogon.exe
5. C: \ Documents and Settings \ bagle \ Start Menu \ Programs \ Startup file name
- Empty
6. C: \ Documents and Settings \%% Users \ Templates
- Brengkolang.com
7. Create a file in each folder where the file has the same name as the folder with the characteristics:
- Icon used such Folders
- The size of the file 42 Kb
- Extension. EXE
Rontokbro will also make changes to the file C: \ AUTOEXEC.BAT add the command line with the "Pause"
To be so active Rontokbro can start the computer, it will create some registry registry key is:
1. Bron-Spizaetus
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
2. Tok-Cirrhatus
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
3. Shell Explorer.exe with the value "C: \ Windows \ Eksplorasi.exe"
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ WindowsNT \ CurrentVersion \ Winlogon,
Disable Registry editor
Like most viruses that exist, this virus will also be possible to disable the program, which can shorten the existence of "them" among the registry editor to add a registry key:
a. DisableRegistryTools = 1
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System
If the registry editor will run the error message:
b. DisableCMD
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System
In addition to adding string in the registry key, in the virus will also add the option in the [startup] on the msconfig.
---- Sempalong
---- Smss
---- Empty
Hide Folder Options
Apparently the virus is learning from colleagues, which will eliminate this virus [folder options] on the [tools] in the [Windows Explorer], so that the user will not be able to display each file that is hidden (hidden) by the virus, with a string add value :
1. "NoFolderOptions" = dword: 00000001
on the registry key
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer
Rontonbrojuga will create a task schedule on the windows where the schedule will run every hour 5:08 PM, with files that are run didirektori:
2. C: \ Documents and Settings \%% Users \ Templates
Restart the Automatic Computer
One of the advantages that are owned by Rontokbro can cause a computer restart, please do not patch up-date can resolve this problem, this is because Rontokbro not exploit the grip of security as that is normally used by the Sasser or Blaster virus.
Rontokbro will restart the computer if you try to run a particular program such as regedit, msconfig even if you run the software as a replacement Task manager pocket Killbox even HijackThis and one of the advantages that are owned by their ability to restart the computer mode, although in "safe mode" walapun, by because the tricks needed to handle the problem. likely manufacturer Rontokbro always follow advice and the development of the past so that it will become increasingly difficult because eradicated always update themselves.
Rontokbro will take all email addresses in the file that contains ext.
a. asp
b. cfm
c. csv
d. doc
e. eml
f. html
g. php
h. txt
I. wab
In addition to spread via email, Rontokbro also be spread through Floppy disk / USB to create a file in the folder / subfolder of didisket / USB cable or the root itself, the files that have created these characteristics:
a. Resembles a folder icon
b. Size 42 Kb
c. Ext. EXE
Rontokbro will also try to make a connection by sending ping request to one of the sites, such as adult and kaskus.com 17tahun.com, this is one of the factors that can slow the computer system, but because of the spread of internet connection in Indonesia is still relatively slow, the impact of this will feel less dialup users in the home because it is not always connected, and the biggest impact on access to the two sites will be far-reaching if the computer is infected Ronrokbro home computers that have broadband connections and always connected to the Internet, Garnet or office computer that is always connected to the Internet.
As antivirus, Rontokbro also try to up-date to one of the sites that have been determined, so do not dally should up-date antivirus software so that you do not become the next victim and do not forget that not in vain to exchange data via floppy / usb one that tips may be useful is to identify the type of file that will run, and an effort to always show ekstesi from the file in order to know the type of file. One effective way to prevent Rontokbro is to use antivirus software, which provides local support so that the definition can complement the new emerging variants Rontokbro that up to now still continue to be.
How to clean Rontokbro
1. Make cleaning through the "safe mode"
2. Turn off the virus
To turn the process should not use the program pocket killbox or HijackThis because the computer will restart immediately if you are going to run these tools, we recommend using other tools such as PROCEXP.EXE which can be downloaded at the site http://www.sysinternals.com/Utilities / ProcessExplorer.html
Remove the process by "right-click the name of the process" and select "kill prosess tree," so that no one in the search process of elimination that the icon has "folders", such as:
- Smss.exe
- Services.exe
- Winlogon.exe
Note:
Or you can also perform the following steps:
a. Restart the computer and in the mode "safe mode with command prompt, by pressing the button [F8] when the computer restarts, this meant that the virus is not active Rontokbro position on the" safe mode "and did not restart the computer during the cleaning process.
b. After the entry mode "Command Prompt" press the [CTRL] + [ALT] + [Del] simultaneously, then select [Task Manager], after the Task Manager screen appears, click the [File] select [New Task (Run..) , Then type [explorer] on the window [create new task file] then click enter.
c. Then the desktop screen will appear (fashion shows into "safe mode")
d. Reactivate the registry editor and remove the string that is created by the virus, write the script, as is the number [3], and then save a file name "repair.inf", and after that run the file with the way: right-click the file [repair.inf ] Kemudiani select [install]
e. Delete option [Smss], [Empty] and [Sempalong] in the msconfig in the tabulation [startup)
f. That "folder option" in Windows Explorer may appear, restart the computer again and do as steps on the point (a and b)
G. After the computer into a mode "safe mode" show all files that disembuyikan (do this change in the "folder options", see the image on the point [5], follow the instructions selanjunya cleaning Rontokbro such as the PDA-point (6-9)
3. Write the following script and save the file name notepade give repair.inf, run the file (right click [repair.inf]
select [install]), this is intended to function again mengqaktifkan registry editor, showing again [folder option]
and remove the string that was created by virus
[Version]
Signature = "$ $ Chicago"
Provider = Vaksincom
[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del
[UnhookRegKey]
HKLM, Software \ CLASSES \ batfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ comfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ exefile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ piffile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ regfile \ shell \ open \ command, "regedit.exe"% 1 ""
HKLM, Software \ CLASSES \ scrfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, "Explorer.exe"
[del]
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableRegistryTools
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableCMD
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoFolderOptions
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Run, Tok-Cirrhatus
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, Bron-Spizaetus
4. Restart the computer and go back to the mode "safe mode" not to posiosi "normal" because the file from the parent virus
This is still there (eksplorasi.exe and sempalong.exe)
5. Show hidden files that do this change in [the folder Option]
6. Remove files created by Rontokbro
- C: \ Windows, with the file name eksplorasi.exe (hidden)
- C: \ Windows \ shellnew, with the name sempalong.exe (hidden)
- C: \ Windows \ system32, with the names% username "s Setting.scr (hidden)
- C: \ Windows \ PSS, with the file name [Empty.pifStartup]
- C: \ Documents and Settings \% user% \ Local Settings \ Application Data with the file name
- Bron.tok [x] - [y], where [X] and [Y] shows the numbers
- Loc.Mail.Bron.Tok
- Ok-sendmail-Bron-noise
- Csrss.exe
- Inetinfo.exe
- Kosong.Bron.Tok.txt
- Lsass.exe
- NetMailTmp.bin
- Services.exe
- Smss.exe
- Update.3.Bron.Tok.bin
- Winlogon.exe
7. Re-edit autoexec.bat file in the directory C: \ and delete the command line [pause]
8. Remove Scheduled tasks created by Rontokbro (click [Start], [Settings], [Control Panel],
2, and then click the [Scheduled tasks].
9. Remove files created by the virus, for more rapid use facilities [serach]
Click [Start]
Click [Search], and then click [For Files or Folders]
Then select [All files or Folders]
Click the option [What size is it?]
Then select the option [specify Size (in Kb)]
In the combo box, select [at most] kemdian content of the file size with the number [43], then click [Search]
After the search is finished, sorted by size (size), then delete the files that have the size of 42 kb,
do not occur until the elimination of errors in the file because some files that have the size of the windows
42 kb, find the file folder icon with the extension. EXE, such as the image below:
10. For faster clearance should you use antivirus software that can recognize Rontokbro.N do not forget
updated antivirus software installed, as Norman antivirus information with up-to date have been the last menganali
This virus engan good.
Tips
Here are some tips and tricks that can be used from any virus attack local
1. Do not make vain in the exchange of data via floppy / usb
2. Patikan diskette / USB from the net with the virus scan on a diskette / usb before use.
3. Know jensi file that will run
4. Extensi used to display files, this is meant to know the type of files before you run.
5. Diligently follow the progress of the virus
6. Install antivirus software that has the support of local support and up-date automatically