W32/Brontok.BG Worm

 Virus Information - W32/Brontok.BG Worm:

W32/Brontok.BG is a mass mailing worm. The worm will infect Windows systems and spreads through email.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be any one of the following;

Foto Liburanku di Bali
My Photo on Paris

The body of the infected mail will be any one of the following;

Halo Sobat,
Ini fotoku saat liburan di Bali.
Semoga kamu jadi ingat aku terus.
Terima kasih,

Hi,
This photo was taken from my vacation on Paris, last week.
Wishing you always remember me.

Regards,

The name of the infected attachment will be Picture.zip.

Upon execution of the infected attachment, the worm copies itself as;

dv(random number)\yesbron.com
jalak(random number).com
in the (User Account)\Local Settings\Application Data folder.

_default(random numbers).pif
j(random numbers).exe
o(random number).exe
sa(random number)\ib(random number).exe
in the Windows folder.

n(random numbers)\b(random numbers).exe
n(random numbers)\csrss.exe
n(random numbers)\lsass.exe
n(random numbers)\services.exe
n(random numbers)\smss.exe
n(random numbers)\sv(random numbers).exe
n(random numbers)\winlogon.exe
c(random numbers).com
in the Windows System folder.

The worm modifies registry at the following location to load itself during each startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

To propagate itself, the worm collects all the available email addresses from the infected system and mails itself to these addresses using its own SMTP engine.

It also tries to terminate some of the security related processes.