| Most of this page uses content from Wikipedia. The original article was at Brontok. The page may have contained some inaccurate or outdated information, so please edit it so it contains better information.|
The list of authors can be seen in the page history. As with Malware Wiki, the text of Wikipedia is available under the Creative Common Attribution-ShareAlike 3.0 License.
Remove this template when most of the Wikipedia content has been removed or the Wikipedia information is outnumbered by non-Wikipedia information.
Other names for this worm include: W32/Rontokbro.gen@MM, W32.Rontokbro@mm, BackDoor.Generic.1138, W32/Korbo-B, Worm/Brontok.a, Win32.Brontok.A@mm, Worm.Mytob.GH, W32/Brontok.C.worm, Win32/Brontok.E, and W32.Rontokbro.D@mm.
Brontok originated in Indonesia. The name refers to elang brontok, a bird species native to South & Southeast Asia. It arrives as an attachment of e-mail named kangen.exe (kangen itself means "miss someone/thing").
The virus/email itself contains a message in Indonesian (and some English). When translated, this reads:
[By: HVM31 JowoBot #VM Community] -- stop the collapse in this country -- 1. Try the Hoodlums, the Smugglers, the Bribers, the gamblers, & drugs Port (Send to "Nusakambangan") -- 2.Stop Free Sex, Abortion, & Prostitution (Go To HELL) 3.Stop (sea and river pollution), forest burning, & wild hunting. 4.SAY NO TO DRUGS!!! - THE END IS NEAR - 5. Do you think you're smart? Inspired by: (Spizaetus Cirrhatus) that is almost extinct [By: HVM31 JowoBot #VM Communityunity --
The worm also carried out a ping flood attack on two websites: israel.gov.il and playboy.com. This virus may be an example of Hacktivism. Brontok inspired the creation of a more persistent trojan / worm such as Daprosy Worm which attacked internet cafes on July 2009.
When Brontok is first run, it copies itself to the user's application data directory. It then sets itself to start up with Windows, by creating a registry entry in the
HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key. It disables the Windows Registry Editor (regedit.exe) and modifies Windows Explorer settings. It removes the option of "Folder Options" in the Tools menu so that the hidden files, where it is concealed, are not easily accessible to the user. It also turns off Windows firewall. In some variants, when a window is found containing certain strings (such as "application data") in the window title, the computer reboots. User frustration also occurs when an address typed into Windows Explorer is blanked out before completion. Using its own mailing engine, it sends itself to email addresses it finds on the computer, even faking the own user's email address as the sender.
The computer also restarts when trying to open the Command Prompt in Windows and prevents the user from downloading files. It also pop ups the default Web browser and loads a web page (HTML) which is located in the "My Pictures" (or on Windows Vista, "Pictures") folder. It creates .exe files in folders usually named as the folder itself (..\documents\documents.exe) this also includes all mapped network drives.
Brontok can be removed by the latest updated antivirus software although there are various standalone tools available by antivirus providers.
- ↑ "Worm:Win32/Brontok.AR@mm". Microsoft. http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AWin32%2FBrontok.AR%40mm. Retrieved on 14 February 2013.
- ↑ "Win32.Brontok.A@mm". Bitdefender. http://www.bitdefender.co.uk/VIRUS-157247-uk--Win32-Brontok-Amm.html. Retrieved on 14 February 2013.
- ↑ "Win32/Brontok". Microsoft. http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fBrontok. Retrieved on 14 February 2013.