Submission Summary:

• Submission details:
• Submission received: 9 September 2009, 14:13:12
• Processing time: 8 min 48 sec
• Submitted sample:
• File MD5: 0xEF44B817DCEB4C3BFD21FD3D08B5D28D
• File SHA-1: 0x5CFE3E6816B989C1DDC1415DD7A257D41A0FBF74
• Filesize: 42,667 bytes
• Alias:
• W32.Rontokbro@mm [Symantec]
• Email-Worm.Win32.Brontok.q [Kaspersky Lab]
• W32/Rontokbro.gen@MM [McAfee]
• WORM_BRONTOK.BA [Trend Micro]
• W32/Brontok-Gen, Mal/Packer, Mal/EncPk-BA [Sophos]
• Worm:Win32/Brontok@mm [Microsoft]
• Email-Worm.Win32.Brontok [Ikarus]
• Win32/Brontok.worm.42667 [AhnLab]

• Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Modifies some system settings that may have negative impact on overall system security state.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Email-Worm.Brontok!sd5	Email-Worm.Brontok!sd5 is a mass-mailing application that propagates from one system to another by creating a new email message, attaching itself and then sending the message without user's consent.
Email-Worm.Brontok.Q	Email.Worm.Brontok.Q is an email worm that propagates by sending itself to email contacts harvested from an infected machine. This worm employs several anti-removal tactics that will cause a system reboot when triggered.

• Attention! The following threat category was identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\csrss.exe %AppData%\inetinfo.exe %AppData%\lsass.exe %AppData%\services.exe %AppData%\smss.exe %AppData%\winlogon.exe %Programs%\Startup\Empty.pif %Templates%\Brengkolang.com %Windir%\eksplorasi.exe %Windir%\ShellNew\sempalong.exe [file and pathname of the sample #1] %System%\%UserName%'s Setting.scr	42,667 bytes	MD5: 0xEF44B817DCEB4C3BFD21FD3D08B5D28D SHA-1: 0x5CFE3E6816B989C1DDC1415DD7A257D41A0FBF74	W32.Rontokbro@mm [Symantec] Email-Worm.Win32.Brontok.q [Kaspersky Lab] W32/Rontokbro.gen@MM [McAfee] WORM_BRONTOK.BA [Trend Micro] W32/Brontok-Gen, Mal/Packer, Mal/EncPk-BA [Sophos] Worm:Win32/Brontok@mm [Microsoft] Email-Worm.Win32.Brontok [Ikarus] Win32/Brontok.worm.42667 [AhnLab]
2	%Windir%\Tasks\At1.job	406 bytes	MD5: 0x69CC5A90F4B503986B1B8437DA944672 SHA-1: 0x5FA6A8B0739A8483CD6BC300B54CD0A4EBBCDB39	(not available)

• Notes:
• %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
• %Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
• %Templates% is a variable that refers to the file system directory that serves as a common repository for document templates. A typical path is C:\Documents and Settings\[UserName]\Templates.
• %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
• %UserName% is a variable that refers to the current user name.

• The following file was modified:
• c:\AUTOEXEC.BAT

• The following directories were created:
• %AppData%\Bron.tok-12-9
• %AppData%\Ok-SendMail-Bron-tok
• %Windir%\ShellNew

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
winlogon.exe	%AppData%\winlogon.exe	253,952 bytes
services.exe	%AppData%\services.exe	253,952 bytes
lsass.exe	%AppData%\lsass.exe	253,952 bytes
csrss.exe	%AppData%\csrss.exe	253,952 bytes
inetinfo.exe	%AppData%\inetinfo.exe	253,952 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	253,952 bytes
smss.exe	%AppData%\smss.exe	253,952 bytes

Registry Modifications

• The following Registry Key was created:
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• Bron-Spizaetus = ""%Windir%\ShellNew\sempalong.exe""

so that sempalong.exe runs every time Windows starts

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
• NoFolderOptions = 0x00000001

to remove the Folder Options item from all Windows Explorer menus and from Control Panel

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
• DisableRegistryTools = 0x00000001
• DisableCMD = 0x00000000

to disable the Windows registry editors (Regedt32.exe and Regedit.exe)

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• Tok-Cirrhatus = ""%AppData%\smss.exe""

so that smss.exe runs every time Windows starts

• The following Registry Value was modified:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
• Shell =

Other details

• To mark the presence in the system, the following Mutex objects were created:
• userenv: user policy mutex
• userenv: User Registry policy mutex

• The following Host Name was requested from a host database:
• google.com

• The data identified by the following URLs was then requested from the remote web server:
• http://www.geocities.com/sbllma5/IN12VLMLSDSDW.txt
• http://www.geocities.com/sbllma5/Host12.txt
• http://www.geocities.com/sbllma5/Bron-ID12.txt
• http://www.geocities.com/sbllma5/IN12VLMLHQHP.txt