Brontok (computer worm)

The Brontok worm is a computer worm that affects computers running Microsoft Windows. It spreads by sending itself to email addresses harvested from the affected computer. Variants of the Brontok worm include:

* Brontok.A
* Brontok.B
* Brontok.C
* Brontok.D
* Brontok.F
* Brontok.G
* Brontok.H
* Brontok.I
* Brontok.K
* Brontok.Q

Other Names

Other names for this worm include: W32/Rontokbro.gen@MM, W32.Rontokbro@mm, BackDoor.Generic.1138, W32/Korbo-B, Worm/Brontok.a, Win32.Brontok.A@mm, Worm.Mytob.GH, W32/Brontok.C.worm, and Win32/Brontok.E, W32.Rontokbro.D@mm., I-Worm.VB.DV

Description

Brontok Virus came from Indonesia. It arrives as an attachment of e-mail named kangen.exe ("kangen" word itself means "I miss you so much"). When Brontok is first run, it copies itself to the user's application data directory. It then sets itself to start up with Windows, by creating a registry entry in the HKLMSoftwareMicrosoftWindowsCurrentVersionRun registry key. It disables the Windows Registry Editor (regedit.exe)and modifies Windows Explorer settings. It removes the option of "Folder Options" in the Tools menu so that the hidden files, where it is concealed, are not easily accessible to the user. It also turns off Windows firewall. In some variants, when a window is found containing certain strings (such as "application data") in the window title, the computer reboots. User frustration also occurs when an address typed into Windows Explorer is blanked out before completion. Using its own mailing engine, it sends itself to email addresses it finds on the computer, even faking the own user's email address as the sender.The computer also restarts when trying to open DOS window (Command Prompt) in Windows and prevents user from downloading files. It also pop ups the default Web browser and loads a web page (HTML) which is located in the "My Pictures" (or on Windows Vista, "Pictures") folder.

Origin

The virus/email moha66 itself contains a message in Indonesian (and some broken English). When translated, this reads:

[By: H [REMOVED] Community] -- stop the collapse in this country -- 1. Try the Hoodlums, the Smugglers, the Bribers, the gamblers, & drugs Port (Send to "Nusakambangan") -- 2.no Free Sex, Abortion, & Prostitution (Go To HELL) 3.Stop (sea and river pollution), forest burning, & wild hunting. 4.SAY NO TO DRUGS!!! - THE END IS NEAR - Inspired by: (Spizaetus Cirrhatus) that is almost extinct [By: H [REMOVED] unity --

It also contains a JavaScript pop-up.

The worm also carried out a ping flood attack on two websites: israel.gov.il and playboy.com. This virus may be an example of Hacktivism.

External links

* [http://www.microsoft.com/security/malwareremove/families.mspx Microsoft Malicious Software Removal Tool]