Brontok Update

The first version to update itself from Brontok: http://www.geocities.com/jowobot123/, I ask the log to GeoCities, but even that site is closed. Research does not proceed to the first version Brontok. Brontok download files from sites that BrontokInf3.txt, and the content is processed (but details are not my analysis).

The latest version of the URL using a random fact, this is similar to the case of Sober Worm use random URLs. URL random on the Sober Worm is also used to update itself (actually the downloaded file is not always need to update brontok, the contents can also code is vandal).

The latest version of the sites downloading from one of the following URL, with a random file name:

http://www.20mbweb.com/Kids/dbrosji/
http://www.20mbweb.com/Kids/dbrolro/
http://www.20mbweb.com/Kids/dbrotlu/
http://www.20mbweb.com/Kids/dbrotppt/
http://www.20mbweb.com/Kids/dbrolma/

But while this site 20mbweb.com (read: 20mb web) will be used, like a free site is closed (kacian It's like asking Brontok, it does create algorithms that ribet update Brontok k).

URL above is also a source for downloading files Host [N]. Css with N is the version brontok. When brontok active, brontok will select a random URL, and will use the URL.

Here's algorithm update Brontok:

1. Brontok generate a random URL (one of the URL above).
2. Brontok create a URL with the increase IN.18.css (18 version is currently Brontok that I have).
3. Brontok download URL in the previous step into files (Update.Bron.Tok.bin) that the content is a list of files that are deleted, Brontok size of the new prefix and a new URL (called the Z).
4. Brontok delete files that are listed in the results of the download, create a file szbro [N]. Txt, which is the size of the contents of the new Brontok (N is the current version Brontok).
5. Brontok will produce string X minutes from now. Brontok formed from the string array (lon, UTS, AUD, Aug, TPE, AML, MNE, HJT, PLD, LBS). Note that it is actually zero, STU, TWO, TGA, etc. behind. So 15 minutes will produce string UTSAML (UTS = 1, AML = 5). If the minutes <10, the additional minutes were given zero particle to become two digits.
6. Brontok form of the URL string on the Z added. Ico (this exe files Brontok new)
7. Brontok download the file and ensure size between 43,000 to 49,000 (exclusive) bytes, and compares with the size of the files on szbro [N]. Txt. If the file terlallu large or small, or not with the same contents szbro [N]. Txt Brontok will then cancel the update process.
8. Brontok download exe files to be named the new Update.AN. [N]. A.Bron.Tok.exe.
9. Brontok copy Update.AN. [N]. A.Bron.Tok.exe become A.Bron.Tok.tempo.exe, and delete files Update.AN. [N]. A.Bron.Tok.exe.
10. Brontok executing the file A.Bron.Tok.tempo.exe.

Brontok also download a file from the same site (with the file name Bron-ID.xxx.css, with xxx is the value generated algoritmik), the file contents into the email sent to other people, this method also be updated virus (because email content can be replaced by the brontok).