You are on page 1of 6

reg add hkcu\software\microsoft\windows\currentversion\policies\system /v

disableregistrytools /t reg_dword /d 0 /f

gpedit.msc
user configuration | administrative templates | system

overflow: hidden;

hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon
"userinit"="userinit.exe,autorun.bat"

hkey_current_user\software\microsoft\windows\currentversion\explorer\advanced
"showsuperhidden"=dword:00000000

hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon
"userinit"="userinit.exe"

hkey_current_user\software\microsoft\windows\currentversion\explorer\advanced
"showsuperhidden"=dword:00000001

in windows server editions watch for these branches:

hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\fol
der\superhidden
"valuename"="showsuperhidden"

hkey_local_machine\software\microsoft\windows\currentversion\explorer
\advanced\folder\superhidden\policy\dontshowsuperhidden
@=""

hkey_local_machine\software\microsoft\windows\currentversion\policies\explorer
"showsuperhidden"=dword:00000001

hkey_users\s-1-5-21-1718174493-3167834097-4179402766-
1003\software\microsoft\windows\currentversion\explorer\advanced
"showsuperhidden"=dword:00000001

hkey_current_user\software\microsoft\windows\currentversion\explorer\mountpoints2\
{41a44c3f-ccb0-11db-a16f-00112f178ee0}\shell\open\command
hkey_current_user\software\microsoft\windows\currentversion\explorer\mountpoints2\
{39f78d75-f271-11db-835a-00112f178ee0}\shell\open\command

*************************************************
worm/brontok.a
it copies itself to the following locations:
� %windir%\shellnew\rakyatkelaparan.exe
� %sysdir%\cmd-brontok.exe
� %sysdir%\%current username%'s setting.scr
� %windir%\kesenjangansosial.exe
� %home%\local settings\application data\smss.exe
� %home%\local settings\application data\br%four-digit random character
string%on.exe
� %home%\local settings\application data\services.exe
� %home%\local settings\application data\inetinfo.exe
� %home%\local settings\application data\csrss.exe
� %home%\local settings\application data\lsass.exe
� %home%\local settings\application data\idtemplate.exe
� %home%\templates\%five-digit random character string%-nendangbro.com
� %sysdir%\drivers\etc\hosts-denied by-%current username%.com

it deletes the following file:


� %sysdir%\drivers\etc\hosts-denied by-%current username%.com

the following files are created:

� %home%\local settings\application data\loc.mail.bron.tok\%collected email


addresses%.ini this is a non malicious text file with the following content:
� brontok.a
by: hvm31
-- jowobot
vm community --

� %windir%\tasks\at1.job file is a scheduled task that runs the malware at


predefined times.

the following registry key is added in order to run the process after reboot:

� hklm\software\microsoft\windows\currentversion\run
� "bron-spizaetus" = ""%windir%\shellnew\rakyatkelaparan.exe""

� hkcu\software\microsoft\windows\currentversion\run
� "tok-cirrhatus" = ""
� "tok-cirrhatus-%four-digit random character string%" = ""%home%\local
settings\application data\bron%four-digit random character string%on.exe""

the following registry key is added:

� hklm\system\currentcontrolset\control\safeboot
� "alternateshell" = "cmd-brontok.exe"

the following registry keys are changed:

disable regedit and task manager:


� hkcu\software\microsoft\windows\currentversion\policies\system
old value:
� "disablecmd" = %user defined settings%
� "disableregistrytools" = %user defined settings%
new value:
� "disablecmd" = dword:00000000
� "disableregistrytools" = dword:00000000

various explorer settings:


� hkcu\software\microsoft\windows\currentversion\policies\explorer
old value:
� "nofolderoptions" = %user defined settings%
new value:
� "nofolderoptions" = dword:00000001
various explorer settings:
� hkcu\software\microsoft\windows\currentversion\explorer\advanced
old value:
� "showsuperhidden" =%user defined settings%
� "hidefileext" = %user defined settings%
� "hidden" = %user defined settings%
new value:
� "showsuperhidden" = dword:00000000
� "hidefileext" = dword:00000001
� "hidden" = dword:00000000

***********************************************************
worm/brontok.w.a
it copies itself to the following locations:
� %windir%\kr0n1c.exe
� c:\kr0n1c.exe
� %sysdir%\shell.exe
� %sysdir%\mrhelloween.scr
� %sysdir%\iexplorer.exe
� %allusersprofile%\start menu\programs\startup\empty.pif
� %home%\local settings\application data\windows\winlogon.exe
� %home%\local settings\application data\windows\csrss.exe
� %home%\local settings\application data\windows\services.exe
� %home%\local settings\application data\windows\lsass.exe
� %home%\local settings\application data\windows\smss.exe
� c:\kr0n1c\new folder.exe
� c:\data %current username%.exe
� c:\data localservice.exe
� %current directory%\%current directory name%.exe

it creates the following directory:


� c:\kr0n1c

the following files are created:

� c:\puisi.txt this is a non malicious text file with the following content:
� kr0n1c

tertatihku meratap perih


*******motherfuckin indonesian**********
saat ini dan sampai alam yang abadi

cyber.nu

� %windir%\msvbvm60.dll
� %sysdir%\msvbvm60.dll
� c:\kr0n1c\folder.htt
� c:\desktop.ini

the following registry keys are added in order to run the processes after reboot:

� [hkcu\software\microsoft\windows\currentversion\run]
� "kr0n1c"="%windir%\kr0n1c.exe"
� "service%current username%"="%home%\local settings\application
data\windows\services.exe"
� "msmsgs"="%home%\local settings\application data\windows\winlogon.exe"

� [hklm\software\microsoft\windows\currentversion\run]
� "logon%current username%"="%home%\local settings\application
data\windows\csrss.exe"
� "system monitoring"="%home%\local settings\application
data\windows\lsass.exe"
� "logonlocalservice"="%home%\local settings\application
data\windows\csrss.exe"

the following registry keys are changed:

� [hklm\system\currentcontrolset\control\safeboot]
old value:
� "alternateshell"="cmd.exe"
new value:
� "alternateshell"="%windir%\kr0n1c.exe"

� [hkcr\comfile\shell\open\command]
old value:
� @="%1" %*
new value:
� @="%sysdir%\shell.exe" "%1" %*"

� [hkcr\batfile\shell\open\command]
old value:
� @="%1" %*
new value:
� @="%sysdir%\shell.exe" "%1" %*"

� [hkcr\piffile\shell\open\command]
old value:
� @="%1" %*
new value:
� @="%sysdir%\shell.exe" "%1" %*"

� [hkcr\lnkfile\shell\open\command]
old value:
� @="%1" %*
new value:
� @="%sysdir%\shell.exe" "%1" %*"

� [hkcr\exefile\shell\open\command]
old value:
� @="%1" %*
new value:
� @="%sysdir%\shell.exe" "%1" %*"

� [hkcr\exefile]
old value:
� @="application"
new value:
� @="file folder"
various explorer settings:
� [hkcu\software\microsoft\windows\currentversion\explorer\advanced]
old value:
� "hidden"=%user defined settings%
� "hidefileext"=%user defined settings%
� "showsuperhidden"=%user defined settings%
new value:
� "hidden"=dword:00000000
� "hidefileext"=dword:00000001
� "showsuperhidden"=dword:00000000

� [hkcu\control panel\desktop]
old value:
� "scrnsave.exe"=%user defined settings%
� "screensaverissecure"=%user defined settings%
new value:
� "scrnsave.exe"="%sysdir%\mrhell~1.scr"
� "screensaverissecure"="0"

� [hklm\software\microsoft\windows nt\currentversion\winlogon]
old value:
� "shell"="explorer.exe"
� "userinit"="%sysdir%\userinit.exe"
new value:
� "shell"="explorer.exe "%sysdir%\iexplorer.exe""
� "userinit"="%sysdir%\userinit.exe,%sysdir%\iexplorer.exe"

various explorer settings:


� [hkcu\software\microsoft\windows\currentversion\policies\explorer]
old value:
� "nofolderoptions"=%user defined settings%
new value:
� "nofolderoptions"=dword:00000001

� [hklm\software\microsoft\windows nt\currentversion\aedebug]
old value:
� "auto"="1"
� "debugger"="drwtsn32 -p %ld -e %ld -g"
new value:
� "auto"="1"
� "debugger"="%sysdir%\shell.exe"

disable regedit and task manager:


� [hkcu\software\microsoft\windows\currentversion\policies\system]
old value:
� "disablecmd"=%user defined settings%
� "disabletaskmgr"=%user defined settings%
� "disableregistrytools"=%user defined settings%
new value:
� "disablecmd"=dword:00000001
� "disabletaskmgr"=dword:00000001
� "disableregistrytools"=dword:00000001

� [hklm\software\policies\microsoft\windows nt\systemrestore]
old value:
� "disableconfig"=%user defined settings%
� "disablesr"=%user defined settings%
new value:
� "disableconfig"=dword:00000001
� "disablesr"=dword:00000001

� [hklm\software\policies\microsoft\windows\installer]
new value:
� "limitsystemrestorecheckpointing"=dword:00000001
� "disablemsi"=dword:00000001

� [hkcu\software\microsoft\windows\currentversion\explorer\
cabinetstate]
new value:
� "fullpath"=dword:00000001