Submission Summary:

• Submission details:
• Submission received: 11 August 2010, 09:35:55
• Processing time: 11 min 17 sec
• Submitted sample:
• File MD5: 0x926E383C0198264FBDCBB5C26B6D848B
• File SHA-1: 0x5A84B96D369F2C78BDB7B618AB796033632928B9
• Filesize: 42,619 bytes

• Summary of the findings:

What's been found	Severity Level
Modifies some system settings that may have negative impact on overall system security state.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Email-Worm.Brontok.Q	Email.Worm.Brontok.Q is an email worm that propagates by sending itself to email contacts harvested from an infected machine. This worm employs several anti-removal tactics that will cause a system reboot when triggered.

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%AppData%\csrss.exe %AppData%\inetinfo.exe %AppData%\lsass.exe %AppData%\services.exe %AppData%\smss.exe %AppData%\winlogon.exe %Programs%\Startup\Empty.pif %Templates%\Brengkolang.com %Windir%\eksplorasi.exe %Windir%\ShellNew\sempalong.exe [file and pathname of the sample #1] %System%\%UserName%'s Setting.scr	42,619 bytes	MD5: 0x926E383C0198264FBDCBB5C26B6D848B SHA-1: 0x5A84B96D369F2C78BDB7B618AB796033632928B9
2	%Windir%\Tasks\At1.job	406 bytes	MD5: 0x9B8533F368FE318D74C4938354448E0E SHA-1: 0xE0285B34FD3410A74AEB7BFD652FD35601D34276

• Notes:
• %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
• %Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
• %Templates% is a variable that refers to the file system directory that serves as a common repository for document templates. A typical path is C:\Documents and Settings\[UserName]\Templates.
• %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
• %UserName% is a variable that refers to the current user name.

• The following file was modified:
• c:\AUTOEXEC.BAT

• The following directories were created:
• %AppData%\Bron.tok-12-11
• %Windir%\ShellNew

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
winlogon.exe	%AppData%\winlogon.exe	253,952 bytes
services.exe	%AppData%\services.exe	253,952 bytes
lsass.exe	%AppData%\lsass.exe	253,952 bytes
csrss.exe	%AppData%\csrss.exe	253,952 bytes
inetinfo.exe	%AppData%\inetinfo.exe	253,952 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	253,952 bytes

Registry Modifications

• The following Registry Key was created:
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• Bron-Spizaetus = ""%Windir%\ShellNew\sempalong.exe""

so that sempalong.exe runs every time Windows starts

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
• NoFolderOptions = 0x00000001

to remove the Folder Options item from all Windows Explorer menus and from Control Panel

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
• DisableRegistryTools = 0x00000001
• DisableCMD = 0x00000000

to disable the Windows registry editors (Regedt32.exe and Regedit.exe)

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• Tok-Cirrhatus = ""%AppData%\smss.exe""

so that smss.exe runs every time Windows starts

• The following Registry Value was modified:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
• Shell =