It affects computers which runs Windows operating system. It is also known as mass-mailing e-mail Worm. It spreads via e-mail attachments, file transfer, USB and flash drives etc.
Attacks:
When the infected e-mail attachment is opened, the worm may use various methods to run automatically each time Windows starts. Automatic startup methods that the worm employs may include:
- Placing a copy of itself in the user's startup folder, i.e. %homepath%\Start Menu\Programs\Startup\Empty.pif
- Adding a scheduled task to run %homepath%\Templates\A.kotnorB.com each day at 5:08 p.m.
- Adding registry value: "Tok-Cirrhatus"
- Adding registry value: "Bron-Spizaetus"
- Adding registry value: Shell
with data: "explorer.exe " <path to Win32/Brontok worm> - Modifies registry value: AlternateShell
with data: <Win32/Brontok file name>
in registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
Note: the default setting for this key is "AlternateShell"="cmd.exe"
with data: <path to Win32/Brontok worm>
in subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
in subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
with data: <path to Win32/Brontok worm>
in subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
in subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
in registry subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon
Brontok may attempt to lower security settings by making the following changes:
- Prevents the user from accessing the Registry Editor by making the following registry edit:
- Prevents the display of files and folders with the 'hidden' attribute set:
- Prevents the display of Windows system files:
Adds value: DisableRegistryTools
With data: 1
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
With data: 1
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Adds value: Hidden
With data: 0
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
With data: 0
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Adds value: ShowSuperHidden
With data: 0
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
With data: 0
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- Prevents the display of executable file extensions:
- Prevents access to the Folder Options menu:
- Modifies the Windows HOSTS file to prevent access to certain Internet sites, the majority of which are antivirus or security-related.
- Attempts ping attacks against certain Web sites, presumably to launch a form of denial of service (DoS) attack.
- Terminates applications or restarts Windows when the title of the active window contains certain strings, many of which may be representative of antivirus or system tools that might ordinarily be used to detect or remove the worm.
- Overwrites the autoexec.bat file with the word "pause", causing systems that employ the autoexec.bat file to pause on bootup. Some variants of Win32/Brontok may modify the autoexec.bat in order to display a message during bootup.
Adds value: HideFileExt
With data: 1
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
With data: 1
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Adds value: NoFolderOptions
With data: 1
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
With data: 1
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Countermeasures:
- Patch and update your operating system on daily basis
- Enable firewall protection
- Don't download unauthorizes email attachments
- Please scan downloaded attachments, USB pen drives, CDs, Floppy
- Use antivirus and updates it on daily basis