Effects Brontok.KN carries out the following actions: - It infects the files with an EXE extension it finds in the affected computer. The infected files have the icon of a folder and the name of an existing folder.
- It adds a copy of itself to the files with a ZIP extension of the affected computer. This way, if the user descompresses a ZIP file and runs the malicious file, the computer will get infected.
- It deletes the files belonging to several antivirus programs, leaving the computer vulnerable against possible malware.
- It ends the processes whose window title contains any of the following text strings:
CMD.EXE
COMMAND PROMPT
CONFIRM FILE DELETE
CONFIRM MULTIPLE FILE DELETE
DISPLAY PROPERTIES
EASYRECOVERY
EXESCOPE
HEX WORKSHOP
HIJACKTHIS
IDA
INTERNET OPTIONS
KILLBOX
NORMAN
NVC
PC MEDIA
PEID
POCKET KILLBOX
POWERQUEST
PROCESS
REGISTRY EDITOR
RESOURCE HACKER
SETUP
SHOW/KILL RUNNING PROCESS
SUPERDAT
SYSTEM MECHANIC
SYSTEM RESTORE
SYSTUNER
TASK MANAGER
taskkill.exe /f /im explorer.exe
taskkill.exe /f /im explorer.exe
TUNEUP
URSOFT W32DASM
WINDOWS TASK MANAGER
XREFS
ZONEALARM
These processes are related to security programs and applications like the Task manager or the command shell, among others.
Infection strategy Brontok.KN creates the file ASSHOLEFUCKING.EXE and other 5 random files in the following directories: - in a folder created by itself in any Windows subdirectory. It also creates the files: BITCHKICKASS.OCX and FUCKINGBITCH.OCX.
- in the root directory of the C: drive.
- in the Windows directory.
An example of the random files it creates are the following: - GUHEL.EXE - BUHAX.EXE - YIXUC.EXE - YITUB.EXE - XESID.EXE Additionally, it creates the file .EXE in the root directory of the C: drive. Brontok.KN modifies the file HOSTS leaving it empty. On the other hand, Brontok.KN infects the files with an EXE extension it finds in the computer, using the technique called prepending which consists in entering its code at the beginning of the file it infects. By doing this, it ensures that the virus is run every time the infected file is executed, but without interfering the functioning of the file. Additionally, before infecting the files, it creates a copy of the original files in the Windows temporary directory with the same name as the original files and with a NITRO.A extension. Brontok.KN creates the following entries in the Windows Registry: - HKEY_LOCAL_MACHINE\SOFTWARE\Nitro.A
BitchHoletoFuck = guhel.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Nitro.A
ChatApplication = buhax.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Nitro.A
FuckMeBitch = yixuc.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Nitro.A
MainApplication = yitub.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Nitro.A
PolitikusBusuk = xesid.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Nitro.A
PlaceOfApplication = C:\WINDOWS
Means of transmission Brontok.KN infects files with an EXE extension. They reach computers when previously infected files are distributed, entering computers through any of the usual channels: floppy disks, email messages with attachments, Internet download, files transferred via FTP, IRC channels, P2P file sharing networks, etc. Further Details Brontok.KN is 143,365 bytes in size. |