I-Worm.Win32.Brontok.45508
種類
I-Worm
危険度/拡散度
/
発見日
[korea] 2009-12-06 [Foreign] 0000-00-00
Virobot対応
2009-12-07 [Able to detect & repair]

[Symptoms of Infection]

1) It creates files to below path.

(User Folder)\Local Settings\Application Data\services.exe
(User Folder)\Local Settings\Application Data\lsass.exe
(User Folder)\Local Settings\Application Data\inetinfo.exe
(User Folder)\Local Settings\Application Data\winlogon.exe
(User Folder)\Local Settings\Application Data\br(Random number)on.exe
(User Folder)\Local Settings\Application Data\csrss.exe
(User Folder)\Local Settings\Application Data\smss.exe
(User Folder)\Local Settings\Application Data\svchost.exe
(User Folder)\Local Settings\Application Data\Kosong.Bron.Tok.txt (Stings)
(User Folder)\Templates\(Random number)-NendangBro.com
(Windows Folder)\KesenjanganSosial.exe
(Windows Folder)\ShellNew\RakyatKelaparan.exe
(System Folder)\cmd-brontok.exe
(System Folder)\(User Account)'s Setting.scr
(Startup Programs Folder)\Empty.pif
(Route)\(Random number)-NendangBro.com
 

2) The contents of the created Kosong.Bron.Tok.txt file is like below.

       Brontok.A

       By: HVM31

       -- JowoBot #VM Community --

3) It writes a string like "pause" to (Route)\autoexec.bat file.

4) It adds registry for automatic execution on system boot.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
- Shell : (Windows Folder)\kesenjangansosial.exe
 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Bron-Spizaetus : (Windows Folder)\ShellNew\RakyatKelaparan.exe
 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- Tok-Cirrhatus-(Random number) : (User Folder)\Local Settings\Application Data\br(Random number)on.exe
 

5) By modifying registry value, it restrics the use of folder option, registry, and CMD.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- NoFolderOptions : 1
 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
- DisableRegistryTools : 1
 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
- DisableCMD : 0
 

6) By modifying registry value, it hides below files.

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\advanced
- Hidden : 0
 

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\advanced
- HideFileExt : 1
 

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\advanced
- ShowSuperHidden : 0
 

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\advanced
- SuperHidden : 0

7) By registering to scheduling job, it is executed 2 times in a day.

 

8) It downloads datas by accessing to a certain server.

 

9) It send a mail to certain mail account.

 

10) Once a program which has certain string is executed, it reboots system. 

[How to repair]

1. If you are WinXP/ME users, please be inactivate System Recovery Function.

The reason why being inactivate of the system recovery is to clean the virus completely.
You can refer to MS technical documents(Q263455) for more details.

2. Update the engine module for the latest one.
To repair this virus, you need to update the engine for the latest one.

a. ViRobot products users
     -Download the latest engine files via our website (www.hauri.net)

b. Non-ViRobot products users
     - Use the LiveCall (Free Scan) via the website (http://www.livecall.co.kr)

     - Use the trial version of ViRobot products (30days only)

3. How to scan the virus.

a. Run your ViRobot, and choose "all files" in scan option.

- ViRobot Desktop 5.0 : [Tools] -> [Configuration] -> [Virus Scan] : Check all files

- ViRobot Desktop 5.5 : [Tools] -> [Configuration] -> [Virus Scan] : Check all files

- LiveCall (Free Scan) : [Advanced Scan] : Check

b. Repair all viruses detected.

c. If [Auto-repair after rebooting] message shows up, please try to re-scan after rebooting the PC.