Submission Summary:

• Submission details:
• Submission received: 28 April 2011, 19:07:21
• Processing time: 8 min 45 sec
• Submitted sample:
• File MD5: 0xCD72FCB67E9D1110051F474416C424EF
• File SHA-1: 0x877F9AE1DDD6643BC3AC53719F3FB86A7DAA1E02
• Filesize: 45,435 bytes
• Alias:
• Email-Worm.Brontok!sd5 [PCTools]
• W32.Rontokbro@mm [Symantec]
• Email-Worm.Win32.Brontok.q [Kaspersky Lab]
• W32/Rontokbro.gen@MM [McAfee]
• WORM_RONTKBR.GEN [Trend Micro]
• W32/Brontok-Gen [Sophos]
• Worm:Win32/Brontok.W@mm [Microsoft]
• Email-Worm.Win32.Brontok [Ikarus]
• Win32/Brontok.worm.49152.G [AhnLab]

• Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Modifies some system settings that may have negative impact on overall system security state.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! The following threat category was identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\br6657on.exe %AppData%\csrss.exe %AppData%\inetinfo.exe %AppData%\lsass.exe %AppData%\services.exe %AppData%\smss.exe %AppData%\svchost.exe %AppData%\winlogon.exe %Programs%\Startup\Empty.pif %Templates%\11496-NendangBro.com %Windir%\KesenjanganSosial.exe %Windir%\ShellNew\RakyatKelaparan.exe %System%\cmd-brontok.exe [file and pathname of the sample #1] %System%\%UserName%'s Setting.scr	45,435 bytes	MD5: 0xCD72FCB67E9D1110051F474416C424EF SHA-1: 0x877F9AE1DDD6643BC3AC53719F3FB86A7DAA1E02	Email-Worm.Brontok!sd5 [PCTools] W32.Rontokbro@mm [Symantec] Email-Worm.Win32.Brontok.q [Kaspersky Lab] W32/Rontokbro.gen@MM [McAfee] WORM_RONTKBR.GEN [Trend Micro] W32/Brontok-Gen [Sophos] Worm:Win32/Brontok.W@mm [Microsoft] Email-Worm.Win32.Brontok [Ikarus] Win32/Brontok.worm.49152.G [AhnLab]
2	%Windir%\Tasks\At1.job	416 bytes	MD5: 0xB4526C9DA4B5233E08CA9116723E18FA SHA-1: 0xAD8D967765293613B2DE76D04EE23122F7CEEE28	(not available)
3	%Windir%\Tasks\At2.job	416 bytes	MD5: 0xD7F6B0DC21C7EBBD58057D0C5683505A SHA-1: 0x692DF7D4922F9D5589E55EF8BAF3A671A16723FF	(not available)

• Notes:
• %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
• %Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
• %Templates% is a variable that refers to the file system directory that serves as a common repository for document templates. A typical path is C:\Documents and Settings\[UserName]\Templates.
• %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
• %UserName% is a variable that refers to the current user name.

• The following file was modified:
• c:\AUTOEXEC.BAT

• The following directories were created:
• %AppData%\Bron.tok-17-28
• %Windir%\ShellNew

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
winlogon.exe	%AppData%\winlogon.exe	270,336 bytes
services.exe	%AppData%\services.exe	270,336 bytes
lsass.exe	%AppData%\lsass.exe	270,336 bytes
csrss.exe	%AppData%\csrss.exe	270,336 bytes
inetinfo.exe	%AppData%\inetinfo.exe	270,336 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	270,336 bytes

Registry Modifications

• The following Registry Key was created:
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• Bron-Spizaetus = ""%Windir%\ShellNew\RakyatKelaparan.exe""

so that RakyatKelaparan.exe runs every time Windows starts

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
• NoFolderOptions = 0x00000001

to remove the Folder Options item from all Windows Explorer menus and from Control Panel

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
• DisableRegistryTools = 0x00000001
• DisableCMD = 0x00000000

to disable the Windows registry editors (Regedt32.exe and Regedit.exe)

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• Tok-Cirrhatus-2817 = ""%AppData%\br6657on.exe""
• Tok-Cirrhatus = ""

so that br6657on.exe runs every time Windows starts

• The following Registry Values were modified:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
• Shell =
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot]
• AlternateShell =
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
• AlternateShell =

Other details

• There was registered attempt to establish connection with the remote host. The connection details are:

• The data identified by the following URLs was then requested from the remote web server:
• http://www.geocities.com/stabro7ok/IN17.css
• http://www.geocities.com/stabro7ok/Host17.css