W32/Brontok.A@mm
Analysis
W32/Brontok.A@mm - 06-10-05
More Info:
- c:\Documents and Settings\User\Local Settings\Application Data\csrss.exe
- c:\Documents and Settings\User\Local Settings\Application Data\inetinfo.exe
- c:\Documents and Settings\User\Local Settings\Application Data\lsass.exe
- c:\Documents and Settings\User\Local Settings\Application Data\services.exe
- c:\Documents and Settings\User\Local Settings\Application Data\smss.exe
- c:\Documents and Settings\User\Local Settings\Application Data\winlogon.exe
- c:\Documents and Settings\User\Start Menu\Programs\Startup\Empty.pif
- c:\Documents and Settings\User\Templates\WowTumpeh.com
- c:\System\
's Setting.scr - c:\Windir\eksplorasi.pif
- c:\Windir\ShellNew\bronstab.exe
- key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- value: Bron-Spizaetus
- data: c:\windows\ShellNew\bronstab.exe
- key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- value: Tok-Cirrhatus
- data: c:\Documents and Settings\User\Local Settings\Application Data\smss.exe
- key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
- value: Shell
- data: Explorer.exe c:\windows\eksplorasi.pif
- key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- value: NoFolderOptions
- data: 1
- key: HKCU\Software\Microsoft\Windows\CurrentVersion\explorer\advanced
- value: Hidden
- data: 0
- key: HKCU\Software\Microsoft\Windows\CurrentVersion\explorer\advanced
- value: ShowSuperHidden
- data: 0
- key: HKCU\Software\Microsoft\Windows\CurrentVersion\explorer\advanced
- value: HideFileExt
- data: 1
- key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
- value: DisableRegistryTools
- data: 1
- key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
- value: DisableCMD
- data: 0
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the 'Allow Push Update' option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |