virus logo Virus

W32/Brontok.Q@mm

description-logoAnalysis


  • It drops the following files:
    • undefinedWindowsundefined\eksplorasi.exe
    • undefinedWindowsundefined\ShellNew\bronstab.exe
    • undefinedWindowsundefined\system32\User's Setting.scr
    • undefinedWindowsundefined\Tasks\At1.job
    • undefinedCurrentUserundefined\Local Settings\Application Data\Bron.tok-10-12
    • undefinedCurrentUserundefined\Local Settings\Application Data\csrss.exe
    • undefinedCurrentUserundefined\Local Settings\Application Data\inetinfo.exe
    • undefinedCurrentUserundefined\Local Settings\Application Data\ListHost10.txt
    • undefinedCurrentUserundefined\Local Settings\Application Data\lsass.exe
    • undefinedCurrentUserundefined\Local Settings\Application Data\services.exe
    • undefinedCurrentUserundefined\Local Settings\Application Data\smss.exe
    • undefinedCurrentUserundefined\Local Settings\Application Data\Update.10.Bron.Tok.bin
    • undefinedCurrentUserundefined\Local Settings\Application Data\winlogon.exe
    • undefinedCurrentUserundefined\Start Menu\Programs\Startup\Empty.pif
    • undefinedCurrentUserundefined\Templates\WowTumpeh.com
  • To automatically execute itself during startup, the malware applies the following registry modifications:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      • Tok-Cirrhatus = undefinedCurrentUserundefined\Local Settings\Application Data\smss.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      • Bron-Spizaetus = undefinedWindowsundefined\ShellNew\bronstab.exe
  • Additionally, it creates a JOB file in the undefinedWindowsundefined\Tasks folder to automatically execute the file undefinedCurrentUserundefined\Templates\WowTumpeh.com.

  • The malware also applies various means to hide itself and evade suspicion by disabling registry editing, disabling issuance of the command prompt, and changing the folder option to hide the extensions. These are done by creating or modifying the following registry:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
      • DisableRegistryTools = 01
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
      • DisableCMD = 00
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
      • NoFolderOptions = 01
  • It also purges the contents of the Autoexec.bat  file by replacing the contents with the command pause, causing Windows 9X-based systems to pause and await for the user to press a key during boot up.

  • The malware arrives as an attachment to a spammed mail using any of the following attachment filenames:
    • DOC.EXE
    • XLS.EXE
    • PATAH
    • HATI
    • CINTA
    • UNTUKMU
    • DATA-TEMEN
    • RIYANI
    • JANGKARU
    • KANGEN
  • The malware has been noticed to contain its own SMTP engine and fetches the target email address based on the infected hosts address book and may spoof the From  field with the following email addresses:
    • Berita_@kafegaul.com
    • GaulNews_@kafegaul.com
    • Movie_@playboy.com
    • HotNews_@playboy.com
  • The malware may also modify the file undefinedSystemundefined\drivers\etc\hosts  to prevent the infected user from accessing various security related sites.

  • The malware has an icon that resembles a Windows folder to appear less conspicuous.

    • recommended-action-logoRecommended Action

      FortiGate Systems
    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the 'Allow Push Update' option.
      FortiClient Systems
    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Telemetry logoTelemetry

    Detection Availability

    FortiGate
    Extended
    FortiClient
    FortiMail
    FortiSandbox
    FortiWeb
    Web Application Firewall
    FortiIsolator
    FortiDeceptor
    FortiEDR

    Version Updates

    Date Version Detail
    2022-11-07 90.07624
    2022-09-19 90.06133
    2022-09-09 90.05835
    2022-07-05 90.03884
    2021-11-30 89.07343
    2021-09-07 88.00941
    2021-08-31 88.00773
    2021-08-18 88.00466
    2021-08-15 88.00394
    2021-07-27 87.00933
    ID 252742
    Released May 17, 2006
    Description
    Updated    		 Feb 13, 2009
    Aliases W32/Rontokbro.gen@MM virus, W32/Brontok-BZ, WORM_RONTKBR.GEN, Worm:Win32/Brontok.L@mm, Win32/Brontok.worm.147456, W32/Brontok.S@mm, Win32/Brontok.Y worm
    Platform Profile Win32 file format / PE 32 bit