Friday, March 19, 2010

Brontok As a Complex Email Virus

Brontok is a complex e-mail virus. This particular variant was discovered at the end of March 2006. The virus spreads as an attachment to e-mail messages. It also disables anti-virus software, generates numerous copies of itself on a local hard disk, and takes efforts to make its removal complex.
Installation to System

After the virus file is started, it copies itself with different names to different folders on a local hard drive. The file names can be semi-randomly generated or they can be any of the following:

• csrss.exe
• inetinfo.exe
• lsass.exe
• services.exe
• smss.exe
• winlogon.exe
Some of the worm's files have hidden system, and read-only attributes. The virus can create its files with COM, EXE, and PIF extensions. Brontok virus creates multiple launch points for the copied files. Those include startup Registry keys as well as scheduled jobs. For instance:

Status ID Day Time Command Line
1 Each M T W Th F S Su 5:08 PM "C:\Documents and"
2 Each M T W Th F S Su 11:03 AM "C:\Documents and Settings\User\Local Settings\Application Data\"

More so, the virus generates a few text files on a local hard disk. The file named baca bro !!!.txt that is created in the root of the system drive has the following text:


Sedikit Jawaban u/ Membungkam Mulut Sesumbar 'MEREKA'.

Nobron = Satria Dungu = Nothing!!!
Romdil = Tukang Jiplak = Nothing!!!

Nobron & Romdil -->> Kicked by The Amazing Brontok.

No comments:

Post a Comment