Not really hard to identify it.
Brontok.A was built with Visual Basic and use the packer: MEW (By NorthFox/HCC)
Copies itself to the user's application data directory and then in Windows.
with various name like: winlogon.exe, inetinfo.exe, smss.exe, csrss.exe, lsass.exe, svchost.exe etc..
not only in '.exe' in .src, .com, .pif and more extension in more directories
The worm try to navigate to:
http://www.geocities.com/stabro7ok/BrontokInf8.txt
http://www.geocities.com/stabro7ok/Bron-ID8.txt
And then, replace the data contained in drivers/etc/hosts by BrontokInf8.txt
A file called 'about.Brontok.A.html' was created in the folder 'My Pictures':
my documents... .exe :)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6bSi7CQRbWPSVBbCkp_iL5nJ7aBU2M36Lfj8yqtwN9m5J53D9qWDyw01hqo2RNo_ehNjOBU4sETCsRcSfFG5-bsP7QfChYsoB6UkZeXJKtPuOkyi_G7raWnXZHU3IOb-ILsZ-3BAEN6Ya/s400/3.png)
regedit was disabled
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhETP3lpqEtce2SaH8RNbMN19oqD8coW6zF_LDwmi8k3v1v_H_jYYgSP_AFirguvheeenmvwvFDth2Ph_2eOnvUWkpoO_NLXm3iirm-twKCLGreoag2gnMLQf3NzJQFeD6lrvE5JsSkGE1p/s400/4.png)
when you try to open cmd or when some word (like: REGISTRY) was detected on the handle of the curent open windows, Brontok will reboot your computer
Brontok launch ping flood attack on two websites
playboy.com:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbS-3If6FIxfuuSiklvCtS1OrfpQb-C5XVOQIM1lHE0yFJCD6WddDaLzwpPDk1IRtNZn8V9gTt9l-tVrwXnBirGCQg24rv5Nb_7ZIG65WvOGWnjsrd0NWGf-87SZBRjVDqJ_6kRro9rTak/s400/5.png)
And israel.gov.il:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSqJcaaFOjw47iTqHSsuCiYuqalBNC0aiC0Np_8B8a0QZR4yMMMqMlRTHxk_EJklxxP3O38UP8jgDu-foo4etfwp5Ov1cv4UbWkcyRoNlKCOa884ul96dzbttKJmq8BlNyGisqD5W_mAIb/s400/6.png)
Propagation was done by e-mail.
Brontok, search for e-mail addresses in your pc, and when found something use his own smtp engine for send a malicious mail
This worm was found in 2006, and actually detected by most anti-virus software
how my friend got infected... that a good question.
final word:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7G8lcDQFk7nf_cep_QqJDOwbhKkjlYRcWHNLxG8UVzcctXWP_zBlkO_f8xSi9uRvTTh_OZIRBYJWWlYUY5JI4bQ9L6O2ld4sLLzdvRLQ6ccabJ3t1X3mbvNXYvAaDs-BCtOyQbQGufbRP/s320/qsp9oj.png)
No comments:
Post a Comment