Characteristics Brontok

I will not give lengthy explanations about the characteristics Brontok, because this section is discussed at many sites. In short, Brontok characteristics are: 1. Brontok use the standard Windows folder icon, you use the theme strange / nonstandar will see a rarity this icon. 2. Brontok make many changes in the registry so difficult to clean (disable the registry editor, remove the folder menu options, etc.). Rather, Brontok to make changes in the value of the subkey: * HKCU \ Software \ Microsoft \ Windows \ currentversion \ run o Value-Tok Cirrhatus a path to Brontok. o Value-Cirrhatus Tok-XXX (xxx is a random) into the path to the name Brontok also random. * HKLM \ Software \ Microsoft \ Windows \ currentversion \ run o Value Bron-Spizaetus a path to Brontok. o Value Bron-Spizaetus-xxx (xxx is a random) into the path to Brontok. * HKCU \ Software \ Microsoft \ Windows \ currentversion \ Policies \ Explorer \ o Value NoFolderOptions to 1. * HKCU \ Software \ Microsoft \ Windows \ currentversion \ Policies \ System \ o Value DisableCMD to 0. o DisableRegistryTools value to 1. * HKCU \ Software \ Microsoft \ Windows \ currentversion \ explorer \ advanced o Hidden Value to 0. o Value HideFileExt to 1. o Value ShowSuperHidden to 0. * SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon o Value of a Shell Explorer.exe "c: \ windows \ xxx.exe-food". (xxx is a random) * SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ o Value AlternateShell into cmd-bro-xxx.exe (xxx is a random). Caution: it Windows will automatically copy all the contents in the key HKLM, SYSTEM \ CurrentContolSet \ Control \ SafeBoot to HKLM, SYSTEM \ ContolSet00X \ Control \ SafeBoot X (from 1-2) restart the process if done successfully (or if the computer is turned off and computer starts up again). 3. Brontok mar many copies of the directory itself. 4. Brontok override the autoexec.bat line with a "pause", may mean to stop the antivirus software running in DOS mode, which is run by autoexec.bat. 5. Brontok make a lot of startup items that run when the computer starts (in the start menu and in various places in the registry). This applies also in safe mode (Attention attention, which is "SAFE MODE" not "SAVEMODE"). 6. Brontok to update itself from a particular URL, this is exactly Brontok download exe files from certain sites and mengeksekusinya (can not update the content brontok, but the code to format the entire computer). Discussion in the next section in this article. 7. Brontok use encryption to hide the string-string in himself. Encryption Brontok also discussed in this article. 8. Brontok submit himself to an email address that finding, if the address does not contain the following string (meaning brontok will not submit himself to Microsoft, the company's antivirus software, etc.): SECURE, SUPPORT, MASTER, MICROSOFT, Closer, HACK, CRACK, LINUX, AVG, GRISOFT, CILLIN, SECURITY, Symantec, Associate, VACCINE, NORTON, NORMAN, PANDA, SOFT, SPAM, BLAH. Vbs, DOMAIN, HIDDEN, DEMO, develop, FOO @, COMPUTER, SENIOR, DARK, BLACK, BLEEP, FEEDBACK, IBM., Intel., Macro, Adobe, Calumet Campus, recipient, SERVER, proxy, ZEND, ZDNET, CNET, DOWNLOADS, HP., XEROX, Canon, SERVICE, ARCHIEVE, Netscape, Mozilla, Opera, Novell, NEW LOTUS, Micro, TREND, Siemens, FUJITSU, NOKIA, W3., NVIDIA, apache, mysql, POSTGRE, SUN., Goo GLE, SPERSKY, ZOMBIE, ADMIN, AVIRA, AVAST, work, ESAVE, ESAFE, Protect, Aladdin, alerts, BUILDER, DATABASE , AHNLAB, PROLAND, ESCAN, HAURI, NOD32, SYBARI, antigens, R OBOT, ALWIL, BROWSE, COMPUSE, compute, SECUN, SPYW, REGIST, FREE, s, MATH, LAB, IEEE, KDE, TRACK, information, Fuji, @ MAC, SLACK, REDHA, Vancouver, Ghatkopar, XANDROS, @ ABC, @ 123, LO OKSMART, SYNDICAT, ELEKTRO, ELECTRO, NASA, Lucent, TELECOM, STUDIO, Sierra, USERNAME, IPTE K, CLICK, SALES, PROMO,. CA.COM There is little difference in the email if an email sent to the address with the following substring ( "server address"): Plasa; TELKOM; INDO;. CO.ID;. GO.ID;. MIL.ID;. SCH.ID;. NET.ID;. OR.ID;. AC.ID;. WEB.ID;. WAR.NET.ID; ASTAGA; GAUL; CAN; EMAILKU; ONE. The difference in the original sender, if Indonesia goal for the sender if the non menjadi@boleh.com while "address Indonesia" menjadi@friendster.com the sender (in the initial version Brontok, memakai@kafegaul.com to Indonesia and the Philippines to address non-address @ pornstargals . com). (bodohnya content of the email remain the same, and use English in the content downloaded from the Internet). Caution: analysis of one of the many states that Brontok not submit himself to an email address in Indonesia. 9. Brontok try to get an email address with the victim parsing of HTML files,. Htm,. TXT,. EML,. WAB, and. PHP discovering (Brontok find all the files in a string xxx@yyy.zzz). 10. Brontok SMTP to connect directly when sending email, but do not use the MX records (Mail eXchanger record) a DNS domain. If Brontok to send alamat@yahoo.com, he will try to use SMTP server mta237.mail.re2.yahoo.com, whereas if the domain to search for other Brontok MX / SMTP server by adding prefix smtp., Mail. or ns1. in the mail domain. 11. Brontok Create a file that the contents of all people to stop crime (bla bla bla, please read on other sites if you are curious about the contents). 12. Brontok restart the computer when a particular program is active. The program checks to see done with the program window to the text string: Registry, SYSTEM CONFIGURATION, command prompt. EXE, shut down, SCRIPT HOST, LOG OFF Windows, KILLBOX, TASK, two of the last new string added to the program, which can kill Brontok task, for example, the program HijakThis. 13. Brontok schedule himself to run at certain hours. Brontok schedule an early version of himself only at 17:08, but the new version also schedule an execution at 11:03 (both scheduled every day). 14. Brontok share in trying to access the local network also menginfeksinya and. 15. Brontok have a string: By: HVM31 - Jowobot # VM Community - (Note the word VM / Virus makes this community, it may HVM31 have friends who know about this). 16. Brontok version of the old attack (DDOS mean you want to do / Distributed Denial of Service Attack) and the site 17tahun.com israel.gov.il with ping, while the new version of HTTP Get to attack www.17tahun.com, www.kaskus.com, and www.fajarweb.com. 17. Brontok make debuging.com counter at the site, the URL: http://debuging.com/WS1/cgi/x.cgi?NAVG=Tracker&username =% 64% 65% 6C% 62% 65% 6C% 62% 72% 6F ( usernamenya is delbelbro). I have not contact the owner of the site. Counter increased the value of each finished attack sites in the list (www.17tahun.com, www.kaskus.com, and www.fajarweb.com). 18. Brontok create files in the directory sistem.sys% windir% / system32/sistem.sis contents of the code is the time when the active brontok the first time. This code consists of 2 digits month, 2-digit date, 2-digit hours and 2 minutes digits. Ex: 01122245 means Brontok active in the first 01 = January, 17 = 17, 22 = 1 malamm, 45 = minutes to 45. This file is also dicopykan to the directory \ Documents and Settings \ Username \ Application Data \ with the file name is BronMes *. (* part can vary). 19. Brontok force will try to kill some process (the process is running the program) with the command taskkill / f / im namaproses. The process includes the killed virus / worm another local, and some antivirus software. Precisely the process that is killed mcvsescn.exe; poproxy.exe; avgemc.exe; ccapps.exe; tskmgr.exe; syslove.exe; xpshare.exe; riyani_jangkaru.exe; systray.exe; ashmaisv.exe; aswupdsv.exe; nvcoas . exe; cclaw.exe; njeeves.exe; nipsvc.exe; dkernel.exe; iexplorer.exe; lexplorer.exe. 20. Brontok will change the file attributes MSVBVM60.DLL in the Windows system directory. Attribute files will be converted into a hidden, system, and read only. Goals this step is more difficult to remove files from msvbvm60.dll DOS mode, as discussed in several websites. 21. Brontok will download a file from a URL random (see the update Brontok) and try to overwrite the file% windir% \ system32 \ drivers \ etc \ hosts file with the didownloadnya. 22. If Brontok find the file. DOC,. PDF. XLS, and. PPT attributnya will then be returned to normal, the nature of this seems to be done to restore the documents hidden (be hidden) by other viruses. 23. Brontok try to delete a file with the substring "nostalgic", * RORO *. HTT, FOLDER.HTT. If the file extension is. EXE, then Brontok will also delete the file if the file has a name substring. DOC.EXE;. DOC;. XLS.EXE;. XLS; PATAH; stuff; stay; LUCU; MOVZX; love; for; DATA about; RIYANI; JANGKARU; KANGEN; JROX; DIARY; DKERNEL; IEXPLORER; LEXPLORER; ADULTONLY; ASIAN; VIRTUAL GIRL; X-PHOTOS; BESTMODEL; GAME Two people; HOT SCREEN; HOTBABE; NAKED; MODEL VG; SEXY; V-GIRL7; JAPANESEGIRL; POEM (note that Brontok not remove. DOC, but. DOC followed by a space and with the extension. EXE, as well as with. XLS). 24. Brontok also delete the file: C: \! Submit \ winword.exe, c: \ submit \ xpshare.exe, c: \ windows \ systray.exe,% windir% \ systray.exe,% windir% \ fonts \ tskmgr.exe , C: \ windows \ rundll32.exe. There are still some files again removed Brontok this (I did not continue the analysis of the deletion until the file here).