Technology and Virus Information

This the list of known Brontok Virus, for basic information, all the behavior is the same, they spread thru email or diskette or USB Drive.

The action is same, they create a file under the directory with the same name as the directory it self, changed the icon so it same as folder icon -make user think that it was a folder-, create a file under windows directory, and also under user document and setting directory, change windows origin logon, service and other. for more information look below.

Aliases :
Email-Worm.Win32.Brontok.a (Kaspersky Lab) is also known as: W32/Rontokbro.gen@MM (McAfee), W32.Rontokbro@mm (Symantec), BackDoor.Generic.1138 (Doctor Web), W32/Korbo-B (Sophos), Worm/Brontok.a (H+BEDV), Win32.Brontok.A@mm (SOFTWIN), Worm.Mytob.GH (ClamAV), W32/Brontok.C.worm (Panda), Win32/Brontok.E (Eset)

Risk Level 2: Low

Threat Assesment
Wild

Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy

Damage :

Damage Level: Medium
Payload: Lowers security settings.
Large Scale E-mailing: Sends an email to addresses gathered from the compromised computer.

Distribution :

Distribution Level: High
Subject of Email: Varies
Name of Attachment: Photo.zip, Kangen.exe

Behavior :
Email Worm

Series :
Email-Worm.Win32.Brontok.a
Detection added : Oct 12 2005 13:16 GMT

Email-Worm.Win32.Brontok.b
Detection added : Oct 12 2005 15:43 GMT

Email-Worm.Win32.Brontok.c
Detection added : Oct 16 2005 10:03 GMT

Email-Worm.Win32.Brontok.d
Detection added : Jan 21 2006

Email-Worm.Win32.Brontok.e
Detection added : Feb 17 2006 07:56 GMT

Email-Worm.Win32.Brontok.f
Detection added : Feb 20 2006 08:35 GMT

Email-Worm.Win32.Brontok.g
Detection added : Mar 03 2006 20:03 GMT

Email-Worm.Win32.Brontok.h
Detection added : Mar 07 2006 01:56 GMT

Email-Worm.Win32.Brontok.i
Detection added : Mar 08 2006 03:28 GMT

Email-Worm.Win32.Brontok.K
Detection added : Mar 13 2006 03:20 GMT

Email-Worm.Win32.Brontok.l
Detection added : Mar 17 2006 10:40 GMT

Email-Worm.Win32.Brontok.m
Detection added : Mar 20 2006 03:43 GMT

Email-Worm.Win32.Brontok.n
Detection added : Mar 21 2006 06:07 GMT

Email-Worm.Win32.Brontok.o
Detection added : Mar 21 2006 07:33 GMT

Email-Worm.Win32.Brontok.p
Detection added : Apr 06 2006 01:19 GMT

Email-Worm.Win32.Brontok.q
Detection added : May 15 2006 15:08 GMT

Email-Worm.Win32.Brontok.r
Detection added : Jun 12 2006 10:08 GMT

Email-Worm.Win32.Brontok.s
Detection added : Jun 24 2006 07:58 GMT

Technical details :

This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim machine.

The worm itself is a Windows PE EXE file approximately 41KB to 250KB in size.

Action :

When W32.Rontokbro.AN@mm is installed, it performs the following actions:

1. Copies itself as the following files:

%Windir%\j[RANDOM].exe
%Windir%\o[RANDOM].exe
%Windir%\_default[RANDOM].pif
%System%\c_[RANDOM]k.com
%UserProfile%\Local Settings\Application Data\jalak-93[RANDOM]15-bali.com

Note:

%System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).

%UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

2. Renames %System%\msvbvm60.dll to %System%\msvbvm60.dll.[RANDOM].

3. Creates the following file as a marker of infection:

C:\Baca Bro !!!.txt

4. Creates the following folders:

%System%\s87[RANDOM]
%Windir%\ad[RANDOM]
%UserProfile%\Local Settings\Application Data\dv6[RANDOM]0x

5. Copies itself into the above folders as one or more of the following files:

c.bron.tok.txt
getdomlist.txt
csrss.exe
lsass.exe
services.exe
smss.exe
winlogon.exe
m[RANDOM].exe
zh59[RANDOM].exe
yesbron.com
qm[RANDOM].exe

6. Creates the following folders:

%System%\s87[RANDOM]\Spread.Sent.Bro
%System%\s87[RANDOM]\Spread.Mail.Bro

7. Hides all the files and folders that it creates.

8. Adds the value:

"AlternateShell" = "c_[RANDOM]k.com"

to the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

so that it runs every time Windows starts.

9. Adds the value:

"[RANDOM]" = ""%Windir%\j[RANDOM].exe""

to the registry subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.

10. Adds the value:

"[RANDOM]" = ""%Windir%\_default[RANDOM].pif""

to the registry subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies
\Explorer\Run

so that it runs every time Windows starts.

11. Adds the value:

"[RANDOM]" = ""%System%\s[RANDOM]\zh59[RANDOM].exe""

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.

12. Adds the value:

"[RANDOM]" = ""%UserProfile%\LocalSettings\Application Data\dv[RANDOM]0x\yesbron.com""

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies
\Explorer\Run

so that it runs every time Windows starts.

13. Modifies the values:

"Userinit" = "%System%\userinit.exe,%Windir%\j[RANDOM].exe"
"Shell" = "Explorer.exe "%Windir%\o[RANDOM].exe""

in the registry subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

so that it is executed every time Windows runs.

14. Creates the following registry subkey:

HKEY_CURRENT_USER\Software\Brontok

15. Modifies the values:

"Hidden" = "0"
"HideFileExt" = "1"
"ShowSuperHidden" = "0"

in the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

to hide its presence on the compromised computer.

16. Modifies the value:

"DisableRegistryTools" = "1"

in the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

to disable the registry editor.

17. Adds the following scheduled tasks:

%Windir%Tasks\At1.job
%Windir%Tasks\At2.job

to execute the following file at 11:03 and 17:08 every day:

%UserProfile%\Local Settings\Application Data\dv[RANDOM]0x\yesbron.com

18. Adds the following text to the hosts file to block access to certain Web sites:

127.0.0.22 mcafee.com
127.0.0.22 [http://]www.mcafee.com/
127.0.0.22 mcafee.net
127.0.0.22 [http://]www.mcafee.net/
127.0.0.22 mcafee.org
127.0.0.22 [http://]www.mcafee.org/
127.0.0.22 mcafeesecurity.com
127.0.0.22 [http://]www.mcafeesecurity.com/
127.0.0.22 mcafeesecurity.net
127.0.0.22 [http://]www.mcafeesecurity.net/
127.0.0.22 mcafeesecurity.org
127.0.0.22 [http://]www.mcafeesecurity.org/
127.0.0.22 mcafeeb2b.com
127.0.0.22 [http://]www.mcafeeb2b.com/
127.0.0.22 mcafeeb2b.net
127.0.0.22 [http://]www.mcafeeb2b.net/
127.0.0.22 mcafeeb2b.org
127.0.0.22 [http://]www.mcafeeb2b.org/
127.0.0.22 nai.com
127.0.0.22 [http://]www.nai.com/
127.0.0.22 nai.net
127.0.0.22 [http://]www.nai.net/
127.0.0.22 nai.org
127.0.0.22 [http://]www.nai.org/
127.0.0.22 vil.nai.com
127.0.0.22 [http://]www.vil.nai.com/
127.0.0.22 vil.nai.net
127.0.0.22 [http://]www.vil.nai.net/
127.0.0.22 vil.nai.org
127.0.0.22 [http://]www.vil.nai.org/
127.0.0.22 grisoft.com
127.0.0.22 [http://]www.grisoft.com/
127.0.0.22 grisoft.net
127.0.0.22 [http://]www.grisoft.net/
127.0.0.22 grisoft.org
127.0.0.22 [http://]www.grisoft.org/
127.0.0.22 kaspersky-labs.com
127.0.0.22 [http://]www.kaspersky-labs.com/
127.0.0.22 kaspersky-labs.net
127.0.0.22 [http://]www.kaspersky-labs.net/
127.0.0.22 kaspersky-labs.org
127.0.0.22 [http://]www.kaspersky-labs.org/
127.0.0.22 kaspersky.com
127.0.0.22 [http://]www.kaspersky.com/
127.0.0.22 kaspersky.net
127.0.0.22 [http://]www.kaspersky.net/
127.0.0.22 kaspersky.org
127.0.0.22 [http://]www.kaspersky.org/
127.0.0.22 downloads1.kaspersky-labs.com
127.0.0.22 [http://]www.downloads1.kaspersky-labs.com/
127.0.0.22 downloads1.kaspersky-labs.net
127.0.0.22 [http://]www.downloads1.kaspersky-labs.net/
127.0.0.22 downloads1.kaspersky-labs.org
127.0.0.22 [http://]www.downloads1.kaspersky-labs.org/
127.0.0.22 downloads2.kaspersky-labs.com
127.0.0.22 [http://]www.downloads2.kaspersky-labs.com/
127.0.0.22 downloads2.kaspersky-labs.net
127.0.0.22 [http://]www.downloads2.kaspersky-labs.net/
127.0.0.22 downloads2.kaspersky-labs.org
127.0.0.22 [http://]www.downloads2.kaspersky-labs.org/
127.0.0.22 downloads3.kaspersky-labs.com
127.0.0.22 [http://]www.downloads3.kaspersky-labs.com/
127.0.0.22 downloads3.kaspersky-labs.net
127.0.0.22 [http://]www.downloads3.kaspersky-labs.net/
127.0.0.22 downloads3.kaspersky-labs.org
127.0.0.22 [http://]www.downloads3.kaspersky-labs.org/
127.0.0.22 downloads4.kaspersky-labs.com
127.0.0.22 [http://]www.downloads4.kaspersky-labs.com/
127.0.0.22 downloads4.kaspersky-labs.net
127.0.0.22 [http://]www.downloads4.kaspersky-labs.net/
127.0.0.22 downloads4.kaspersky-labs.org
127.0.0.22 [http://]www.downloads4.kaspersky-labs.org/
127.0.0.22 download.mcafee.com
127.0.0.22 [http://]www.download.mcafee.com/
127.0.0.22 download.mcafee.net
127.0.0.22 [http://]www.download.mcafee.net/
127.0.0.22 download.mcafee.org
127.0.0.22 [http://]www.download.mcafee.org/
127.0.0.22 norton.com
127.0.0.22 [http://]www.norton.com/
127.0.0.22 norton.net
127.0.0.22 [http://]www.norton.net/
127.0.0.22 norton.org
127.0.0.22 [http://]www.norton.org/
127.0.0.22 symantec.com
127.0.0.22 [http://]www.symantec.com/
127.0.0.22 symantec.net
127.0.0.22 [http://]www.symantec.net/
127.0.0.22 symantec.org
127.0.0.22 [http://]www.symantec.org/
127.0.0.22 liveupdate.symantecliveupdate.com
127.0.0.22 [http://]www.liveupdate.symantecliveupdate.com/
127.0.0.22 liveupdate.symantecliveupdate.net
127.0.0.22 [http://]www.liveupdate.symantecliveupdate.net/
127.0.0.22 liveupdate.symantecliveupdate.org
127.0.0.22 [http://]www.liveupdate.symantecliveupdate.org/
127.0.0.22 liveupdate.symantec.com
127.0.0.22 [http://]www.liveupdate.symantec.com/
127.0.0.22 liveupdate.symantec.net
127.0.0.22 [http://]www.liveupdate.symantec.net/
127.0.0.22 liveupdate.symantec.org
127.0.0.22 [http://]www.liveupdate.symantec.org/
127.0.0.22 update.symantec.com
127.0.0.22 [http://]www.update.symantec.com/
127.0.0.22 update.symantec.net
127.0.0.22 [http://]www.update.symantec.net/
127.0.0.22 update.symantec.org
127.0.0.22 [http://]www.update.symantec.org/
127.0.0.22 securityresponse.symantec.com
127.0.0.22 [http://]www.securityresponse.symantec.com/
127.0.0.22 securityresponse.symantec.net
127.0.0.22 [http://]www.securityresponse.symantec.net/
127.0.0.22 securityresponse.symantec.org
127.0.0.22 [http://]www.securityresponse.symantec.org/
127.0.0.22 sarc.com
127.0.0.22 [http://]www.sarc.com/
127.0.0.22 sarc.net
127.0.0.22 [http://]www.sarc.net/
127.0.0.22 sarc.org
127.0.0.22 [http://]www.sarc.org/
127.0.0.22 vaksin.com
127.0.0.22 [http://]www.vaksin.com/
127.0.0.22 vaksin.net
127.0.0.22 [http://]www.vaksin.net/
127.0.0.22 vaksin.org
127.0.0.22 [http://]www.vaksin.org/
127.0.0.22 forum.vaksin.com
127.0.0.22 [http://]www.forum.vaksin.com/
127.0.0.22 forum.vaksin.net
127.0.0.22 [http://]www.forum.vaksin.net/
127.0.0.22 forum.vaksin.org
127.0.0.22 [http://]www.forum.vaksin.org/
127.0.0.22 norman.com
127.0.0.22 [http://]www.norman.com/
127.0.0.22 norman.net
127.0.0.22 [http://]www.norman.net/
127.0.0.22 norman.org
127.0.0.22 [http://]www.norman.org/
127.0.0.22 trendmicro.com
127.0.0.22 [http://]www.trendmicro.com/
127.0.0.22 trendmicro.net
127.0.0.22 [http://]www.trendmicro.net/
127.0.0.22 trendmicro.org
127.0.0.22 [http://]www.trendmicro.org/
127.0.0.22 trendmicro-europe.com
127.0.0.22 [http://]www.trendmicro-europe.com/
127.0.0.22 trendmicro-europe.net
127.0.0.22 [http://]www.trendmicro-europe.net/
127.0.0.22 trendmicro-europe.org
127.0.0.22 [http://]www.trendmicro-europe.org/
127.0.0.22 ae.trendmicro-europe.com
127.0.0.22 [http://]www.ae.trendmicro-europe.com/
127.0.0.22 ae.trendmicro-europe.net
127.0.0.22 [http://]www.ae.trendmicro-europe.net/
127.0.0.22 ae.trendmicro-europe.org
127.0.0.22 [http://]www.ae.trendmicro-europe.org/
127.0.0.22 it.trendmicro-europe.com
127.0.0.22 [http://]www.it.trendmicro-europe.com/
127.0.0.22 it.trendmicro-europe.net
127.0.0.22 [http://]www.it.trendmicro-europe.net/
127.0.0.22 it.trendmicro-europe.org
127.0.0.22 [http://]www.it.trendmicro-europe.org/
127.0.0.22 secunia.com
127.0.0.22 [http://]www.secunia.com/
127.0.0.22 secunia.net
127.0.0.22 [http://]www.secunia.net/
127.0.0.22 secunia.org
127.0.0.22 [http://]www.secunia.org/
127.0.0.22 winantivirus.com
127.0.0.22 [http://]www.winantivirus.com/
127.0.0.22 winantivirus.net
127.0.0.22 [http://]www.winantivirus.net/
127.0.0.22 winantivirus.org
127.0.0.22 [http://]www.winantivirus.org/
127.0.0.22 pandasoftware.com
127.0.0.22 [http://]www.pandasoftware.com/
127.0.0.22 pandasoftware.net
127.0.0.22 [http://]www.pandasoftware.net/
127.0.0.22 pandasoftware.org
127.0.0.22 [http://]www.pandasoftware.org/
127.0.0.22 esafe.com
127.0.0.22 [http://]www.esafe.com/
127.0.0.22 esafe.net
127.0.0.22 [http://]www.esafe.net/
127.0.0.22 esafe.org
127.0.0.22 [http://]www.esafe.org/
127.0.0.22 f-secure.com
127.0.0.22 [http://]www.f-secure.com/
127.0.0.22 f-secure.net
127.0.0.22 [http://]www.f-secure.net/
127.0.0.22 f-secure.org
127.0.0.22 [http://]www.f-secure.org/
127.0.0.22 europe.f-secure.com
127.0.0.22 [http://]www.europe.f-secure.com/
127.0.0.22 europe.f-secure.net
127.0.0.22 [http://]www.europe.f-secure.net/
127.0.0.22 europe.f-secure.org
127.0.0.22 [http://]www.europe.f-secure.org/
127.0.0.22 bhs.com
127.0.0.22 [http://]www.bhs.com/
127.0.0.22 bhs.net
127.0.0.22 [http://]www.bhs.net/
127.0.0.22 bhs.org
127.0.0.22 [http://]www.bhs.org/
127.0.0.22 datafellows.com
127.0.0.22 [http://]www.datafellows.com/
127.0.0.22 datafellows.net
127.0.0.22 [http://]www.datafellows.net/
127.0.0.22 datafellows.org
127.0.0.22 [http://]www.datafellows.org/
127.0.0.22 cheyenne.com
127.0.0.22 [http://]www.cheyenne.com/
127.0.0.22 cheyenne.net
127.0.0.22 [http://]www.cheyenne.net/
127.0.0.22 cheyenne.org
127.0.0.22 [http://]www.cheyenne.org/
127.0.0.22 ontrack.com
127.0.0.22 [http://]www.ontrack.com/
127.0.0.22 ontrack.net
127.0.0.22 [http://]www.ontrack.net/
127.0.0.22 ontrack.org
127.0.0.22 [http://]www.ontrack.org/
127.0.0.22 sands.com
127.0.0.22 [http://]www.sands.com/
127.0.0.22 sands.net
127.0.0.22 [http://]www.sands.net/
127.0.0.22 sands.org
127.0.0.22 [http://]www.sands.org/
127.0.0.22 sophos.com
127.0.0.22 [http://]www.sophos.com/
127.0.0.22 sophos.net
127.0.0.22 [http://]www.sophos.net/
127.0.0.22 sophos.org
127.0.0.22 [http://]www.sophos.org/
127.0.0.22 icubed.com
127.0.0.22 [http://]www.icubed.com/
127.0.0.22 icubed.net
127.0.0.22 [http://]www.icubed.net/
127.0.0.22 icubed.org
127.0.0.22 [http://]www.icubed.org/
127.0.0.22 perantivirus.com
127.0.0.22 [http://]www.perantivirus.com/
127.0.0.22 perantivirus.net
127.0.0.22 [http://]www.perantivirus.net/
127.0.0.22 perantivirus.org
127.0.0.22 [http://]www.perantivirus.org/
127.0.0.22 castlecops.com
127.0.0.22 [http://]www.castlecops.com/
127.0.0.22 castlecops.net
127.0.0.22 [http://]www.castlecops.net/
127.0.0.22 castlecops.org
127.0.0.22 [http://]www.castlecops.org/
127.0.0.22 virustotal.com
127.0.0.22 [http://]www.virustotal.com/
127.0.0.22 virustotal.net
127.0.0.22 [http://]www.virustotal.net/
127.0.0.22 virustotal.org
127.0.0.22 [http://]www.virustotal.org/
127.0.0.22 free-av.com
127.0.0.22 [http://]www.free-av.com/
127.0.0.22 free-av.net
127.0.0.22 [http://]www.free-av.net/
127.0.0.22 free-av.org
127.0.0.22 [http://]www.free-av.org/
127.0.0.22 antivirus.com
127.0.0.22 [http://]www.antivirus.com/
127.0.0.22 antivirus.net
127.0.0.22 [http://]www.antivirus.net/
127.0.0.22 antivirus.org
127.0.0.22 [http://]www.antivirus.org/
127.0.0.22 anti-virus.com
127.0.0.22 [http://]www.anti-virus.com/
127.0.0.22 anti-virus.net
127.0.0.22 [http://]www.anti-virus.net/
127.0.0.22 anti-virus.org
127.0.0.22 [http://]www.anti-virus.org/
127.0.0.22 ca.com
127.0.0.22 [http://]www.ca.com/
127.0.0.22 ca.net
127.0.0.22 [http://]www.ca.net/
127.0.0.22 ca.org
127.0.0.22 [http://]www.ca.org/
127.0.0.22 fajarweb.com
127.0.0.22 [http://]www.fajarweb.com/
127.0.0.22 fajarweb.net
127.0.0.22 [http://]www.fajarweb.net/
127.0.0.22 fajarweb.org
127.0.0.22 [http://]www.fajarweb.org/
127.0.0.22 jasakom.com
127.0.0.22 [http://]www.jasakom.com/
127.0.0.22 jasakom.net
127.0.0.22 [http://]www.jasakom.net/
127.0.0.22 jasakom.org
127.0.0.22 [http://]www.jasakom.org/
127.0.0.22 backup.grisoft.com
127.0.0.22 [http://]www.backup.grisoft.com/
127.0.0.22 backup.grisoft.net
127.0.0.22 [http://]www.backup.grisoft.net/
127.0.0.22 backup.grisoft.org
127.0.0.22 [http://]www.backup.grisoft.org/
127.0.0.22 infokomputer.com
127.0.0.22 [http://]www.infokomputer.com/
127.0.0.22 infokomputer.net
127.0.0.22 [http://]www.infokomputer.net/
127.0.0.22 infokomputer.org
127.0.0.22 [http://]www.infokomputer.org/
127.0.0.22 playboy.com
127.0.0.22 [http://]www.playboy.com/
127.0.0.22 playboy.net
127.0.0.22 [http://]www.playboy.net/
127.0.0.22 playboy.org
127.0.0.22 [http://]www.playboy.org/
127.0.0.22 sex-mission.com
127.0.0.22 [http://]www.sex-mission.com/
127.0.0.22 sex-mission.net
127.0.0.22 [http://]www.sex-mission.net/
127.0.0.22 sex-mission.org
127.0.0.22 [http://]www.sex-mission.org/
127.0.0.22 pornstargals.com
127.0.0.22 [http://]www.pornstargals.com/
127.0.0.22 pornstargals.net
127.0.0.22 [http://]www.pornstargals.net/
127.0.0.22 pornstargals.org
127.0.0.22 [http://]www.pornstargals.org/
127.0.0.22 kaskus.com
127.0.0.22 [http://]www.kaskus.com/
127.0.0.22 kaskus.net
127.0.0.22 [http://]www.kaskus.net/
127.0.0.22 kaskus.org
127.0.0.22 [http://]www.kaskus.org/
127.0.0.22 17tahun.com
127.0.0.22 [http://]www.17tahun.com/
127.0.0.22 17tahun.net
127.0.0.22 [http://]www.17tahun.net/
127.0.0.22 17tahun.org
127.0.0.22 [http://]www.17tahun.org/
127.0.0.22 padinet.com
127.0.0.22 [http://]www.padinet.com/
127.0.0.22 padinet.net
127.0.0.22 [http://]www.padinet.net/
127.0.0.22 padinet.org
127.0.0.22 [http://]www.padinet.org/
127.0.0.22 jeruk.padinet.com
127.0.0.22 [http://]www.jeruk.padinet.com/
127.0.0.22 jeruk.padinet.net
127.0.0.22 [http://]www.jeruk.padinet.net/
127.0.0.22 jeruk.padinet.org
127.0.0.22 [http://]www.jeruk.padinet.org/
127.0.0.22 compactbyte.com
127.0.0.22 [http://]www.compactbyte.com/
127.0.0.22 compactbyte.net
127.0.0.22 [http://]www.compactbyte.net/
127.0.0.22 compactbyte.org
127.0.0.22 [http://]www.compactbyte.org/
127.0.0.22 blog.compactbyte.com
127.0.0.22 [http://]www.blog.compactbyte.com/
127.0.0.22 blog.compactbyte.net
127.0.0.22 [http://]www.blog.compactbyte.net/
127.0.0.22 blog.compactbyte.org
127.0.0.22 [http://]www.blog.compactbyte.org/
127.0.0.22 blogs.compactbyte.com
127.0.0.22 [http://]www.blogs.compactbyte.com/
127.0.0.22 blogs.compactbyte.net
127.0.0.22 [http://]www.blogs.compactbyte.net/
127.0.0.22 blogs.compactbyte.org
127.0.0.22 [http://]www.blogs.compactbyte.org/

19. Attempts to end processes that have the following names:

* ahnlab
* aladdin
* Alicia
* Anti
* ash
* ashmaisv
* aswupdsv
* avast
* avg
* bitdef
* ccapps
* cclaw
* cillin
* ctfmon
* Dian
* diary
* foto
* hijack
* iexplorer
* kangen
* kill
* lexplorer
* machine
* Mariana
* mcaf
* mcv
* movzx
* mspatch
* nipsvc
* njeeves
* nod32
* nopdb
* nvcoas
* opscan
* panda
* peid
* poproxy
* remove
* riyani
* services.com
* siti
* sstray
* sysinter
* syslove
* systray
* trend
* tskmgr
* untukmu
* update
* virus
* vptray
* washer
* wscript
* xpshare
* zlh

20. Attempts to end applications that have the following window titles:

* task manager
* baca bro !!!
* registry
* command prompt
* system configuration
* group policy
* cmd.exe
* computer management
* scheduled task
* killbox
* hijack
* SYSINTERNAL
* PROCESS EXP
* REMOVER
* CLEANER
* anti
* washer
* ertanto
* BROWNIES
* movzx
* killer
* pcmedia
* pc-media
* rontok
* rontox
* robknot
* commander
* windows script
* norman
* norton
* symantec
* cillin
* trendmicro
* bitdef
* kaspersky
* avg
* avira
* virus
* trojan
* worm
* mcafee
* b.e
* folder option
* wintask
* alwil
* sex
* porn
* naked
* cewe
* bugil
* telanjang
* nod32
* task view
* peid
* ahnlab

21. Deletes the following registry subkeys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysRia
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Policies\Explorer\run\brl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ccapp
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ccapp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysDiaz
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MsPatch
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Adie Strio X
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Adie Strio X
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Adie Suka Kamu
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SysYuni
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\local service
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dkernel
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\DllHost
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\LoadServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
\Sys_Romantic-Devil.R
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
\NoFolderOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\lExplorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SysRia
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\iExplorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dkernel.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\CCAPPS
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\local service
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\iExplorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\LoadService
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SymRun
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\LoadServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OSA
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SymRun
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Pluto
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\dkernel.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
\Tok-Cirrhatus-3444
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
\Bron-Spizaetus-3813PXEM
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DllHost
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
\Tok-Cirrhatus-3444Admc
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Security
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
\Sys_Romantic-Devil.R
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
\LoadService
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
\Explorer\run\Tok-Cirrhatus-3444Admc
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MsPatch
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
\Explorer\run\Bron-Spizaetus-3813PXEM
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysYuni
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CCAPPS
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Security
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Pluto
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\dkernel
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SysDiaz
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Adie Suka Kamu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\OSA
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\lExplorer

22. Gathers email addresses from files with the following extensions on all local drives from C to Y:

* .BAT
* .PIF
* .COM
* .SCR
* .EXE
* .PPT
* .XLS
* .DOC
* .CFM
* .PHP
* .ASP
* .WAB
* .EML
* .CSV
* .HTML
* .HTM
* .TXT

The worm does not send itself to email addresses that contain any of the following strings in the domain name:

* BILLING@
* INFO@
* CONTOH
* EXAMPLE
* SMTP
* XXX
* TEST
* NETWORK
* SOURCE
* PROGRAM
* WWW
* ASDF
* SOME
* YOUR
* BLAH
* SPAM
* SOFT
* PANDA
* NORMAN
* NORTON
* ASSOCIATE
* SYMANTEC
* SECURITY
* CILLIN
* GRISOFT
* AVG
* LINUX
* CRACK
* HACK
* VIRUS
* MICROSOFT
* MASTER
* SUPPORT
* SECURE
* UPDATE
* DEVELOP
* VAKSIN
* SATU
* EMAILKU
* BOLEH
* GAUL
* ASTAGA
* .WEB.ID
* .AC.ID
* .OR.ID
* .NET.ID
* .SCH.ID
* .MIL.ID
* .GO.ID
* .CO.ID
* INDO
* TELKOM
* PLASA

23. Appends the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers:

* ns1.
* mail.
* smtp.

24. Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:

From:
Spoofed

Subject:
One of the following:

* My Best Photo
* Fotoku yg Paling Cantik

Message:
One of the following:

* Hi,
I want to share my photo with you.
Wishing you all the best.
Regards,
* Hi,
Aku lg iseng aja pengen kirim foto ke kamu.
Jangan lupain aku ya !.
Thanks,

Attachment:
Photo.zip
or
Kangen.exe