Brontok

Last updated

Brontok is a computer worm [1] running on Microsoft Windows. It is able to disperse by e-mail. Variants include:

Contents

The most affected countried were Russia, Vietnam and Brazil, followed by Spain, Mexico, Iran, Azerbaijan, India and the Philippines. [2]

Other names

Other names for this worm include: W32/Rontokbro.gen@MM, W32.Rontokbro@mm, BackDoor.Generic.1138, W32/Korbo-B, Worm/Brontok.a, Win32.Brontok.A@mm, Worm.Mytob.GH, W32/Brontok.C.worm, Win32/Brontok.E, Win32/Brontok.X@mm, and W32.Rontokbro.D@mm. [3]

Origin

Brontok originated in Indonesia. [1] It was first discovered in 2005. [1] The name refers to elang brontok, a bird species native to South & Southeast Asia. It arrives as an attachment of e-mail named kangen.exe (kangen itself means "to miss someone/thing").

The virus/email itself contains a message in Indonesian (and some English). When translated, this reads:

 [By: HVM31 JowoBot #VM Community] -- stop the collapse in this country—1. Try the Hoodlums, the Smugglers, the Bribers, the gamblers, & drugs  Port (Send to "Nusakambangan") --   2.Stop Free Sex, Abortion, & Prostitution (Go To HELL)  3.Stop (sea and river pollution), forest burning, & wild hunting.   4.SAY NO TO DRUGS!!! - THE END IS NEAR -   5. Do you think you're smart?  Inspired by: (Spizaetus Cirrhatus) that is almost extinct [By: HVM31 JowoBot #VM Communityunity -- [4] 

It also contains a JavaScript pop-up.

The worm also carried out a ping flood attack on two websites: Israel.gov.il and playboy.com, possibly in an act of hacktivism. A number of other websites with .com TLD were also attacked, prompting popular Indonesian forum Kaskus to switch to .us TLD until May 2012. Brontok inspired the creation of a more persistent trojan/worm such as Daprosy Worm which attacked internet cafes in July 2009.

Symptoms

When Brontok is first run, it copies itself to the user's application data directory. It then sets itself to start up with Windows, by creating a registry entry in the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key. It disables the Windows Registry Editor (regedit.exe) and modifies Windows Explorer settings. It removes the option of "Folder Options" in the Tools menu so that the hidden files, where it is concealed, are not easily accessible to the user. It also turns off Windows firewall. In some variants, when a window is found containing certain strings (such as "application data") in the window title, the computer reboots. User frustration also occurs when an address typed into Windows Explorer is blanked out before completion. Using its own mailing engine, it sends itself to email addresses it finds on the computer, even faking the own user's email address as the sender.

The computer also restarts when trying to open the Windows Command Prompt and prevents the user from downloading files. It also pop ups the default Web browser and loads a web page (HTML) which is located in the "My Pictures" (or on Windows Vista, "Pictures") folder. It creates .exe files in folders usually named as the folder itself (..\documents\documents.exe) this also includes all mapped network drives. [5]

Removal

Brontok can be removed by most antivirus software although there are various standalone tools available by antivirus providers.

Related Research Articles

mydoom also known as, my.doom, W32.MyDoom@mm, Novarg, Mimail.R, Shimgapi, W32/Mydoom@MM, WORM_MYDOOM, Win32.Mydoom is a computer worm affecting Microsoft Windows. It was first sighted on January 26, 2004. It became the fastest-spreading e-mail worm ever, exceeding previous records set by the Sobig worm and ILOVEYOU, a record which as of 2022 has yet to be surpassed.

Bagle was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.

Upering is a mass-mailing computer worm. It was isolated in Tacoma, Washington, in the United States, from several submissions from America Online members. As of late 2005, it is listed on the WildList, and has been since 2003.

The Sober worm is a family of computer worms that was discovered on October 24, 2003. Like many worms, Sober sends itself as an e-mail attachment, fake webpages, fake pop-up ads, and fake advertisements.

Blackworm is an Internet worm discovered on January 20, 2006 that infects several versions of Microsoft Windows. It is also known as Grew.a, Grew.b, Blackmal.e, Nyxem.e, Nyxem.d, Mywife.d, Tearec.a, CME-24, and Kama Sutra.

CTX is a computer virus created in Spain in 1999. CTX was initially discovered as part of the Cholera worm, with which the author intentionally infected with CTX. Although the Cholera worm had the capability to send itself via email, the CTX worm quickly surpassed it in prevalence. Cholera is now considered obsolete, while CTX remains in the field, albeit with only rare discoveries.


The Vundo Trojan is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers. Later versions include rootkits and ransomware.

W32.Navidad is a mass-mailing worm program or virus, discovered in December 2000 that ran on Windows 95, Windows 98, Windows NT, and Windows 2000 systems. It was designed to spread through email clients such as Microsoft Outlook while masquerading as an executable electronic Christmas card. Infected computers can be identified by blue eye icons which appear in the Windows system tray.

RavMonE, also known as RJump, is a Trojan that opens a backdoor on computers running Microsoft Windows. Once a computer is infected, the virus allows unauthorized users to gain access to the computer's contents. This poses a security risk for the infected machine's user, as the attacker can steal personal information, and use the computer as an access point into an internal network.

ExploreZip is a destructive computer worm that attacks machines running Microsoft Windows. It was first discovered in Israel on June 6, 1999. The worm contains a malicious payload, and utilizes Microsoft Outlook, Outlook Express, or Exchange to mail itself out by replying to unread messages in the user's inbox. The worm also searches mapped drives and networked computers for Windows installations. If found, it copies itself to the Windows folder of the remote computer and then modifies the Win.ini file of the infected computer. On January 8, 2003, Symantec discovered a packed variant of this threat which exhibits the same characteristics.

Storm Worm Backdoor Trojan horse found in Windows

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

<span class="mw-page-title-main">Conficker</span> Computer worm

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 Welchia.

Happy99 Windows computer worm and early e-mail virus

Happy99 is a computer worm for Microsoft Windows. It first appeared in mid-January 1999, spreading through email and usenet. The worm installs itself and runs in the background of a victim's machine, without their knowledge. It is generally considered the first virus to propagate by email, and has served as a template for the creation of other self-propagating viruses. Happy99 has spread on multiple continents, including North America, Europe, and Asia.

Pikachu virus Computer email worm geared to children

The Pikachu virus, sometimes referred to as Poké Virus, was a computer worm believed to be the first malware geared at children due to its incorporation of Pikachu from the Pokémon series. It was released on June 28, 2000, and arrived in the form of an email titled "Pikachu Pokemon" [sic] with the body of the e-mail containing the text "Pikachu is your friend." Opening the attached executable shows users an image of Pikachu, along with a message stating: "Between millions of people around the world I found you. Don’t forget to remember this day every time MY FRIEND!" The worm itself appeared in the attachment to the email as a file named "PikachuPokemon.exe".

The Fun.Exe virus is of the w32.Assarm family of computer viruses. According to Symantec it registers itself as a Windows system process then periodically sends mail with spreading attachments as a response to any unopened emails in Outlook Express. This virus first appeared in early 2008 and is now recognized by most anti virus programs.

Swen is a mass mailing computer worm written in C++. It sends an email which contains the installer for the virus, disguised as a Microsoft Windows update, although it also works on P2P filesharing networks, IRC and newsgroups' websites. It was first analyzed on September 18, 2003, however, it might have infected computers before then. It disables firewalls and antivirus programs.

Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks. Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

Gruel is a worm first surfaced in 2003 targeting Microsoft Windows platforms. It spreads via email and file sharing networks.

References

  1. 1 2 3 Yuliansyah (2010), Mengembalikan Data yang Hilang Akibat Virus (in Indonesian), Penerbit Mediakom, p. 10, ISBN   978-979-8771-03-3
  2. "Kaspersky Threats — Brontok". threats.kaspersky.com.
  3. "Worm:Win32/Brontok.AR@mm". Microsoft. Retrieved 14 February 2013.
  4. "Win32.Brontok.A@mm". Bitdefender. Retrieved 14 February 2013.
  5. "Win32/Brontok". Microsoft. Retrieved 14 February 2013.