You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Brontok.KN

 
Threat LevelHigh threatDamageSevereDistributionNot widespread

Effects 

Brontok.KN carries out the following actions:

  • It infects the files with an EXE extension it finds in the affected computer. The infected files have the icon of a folder and the name of an existing folder.
  • It adds a copy of itself to the files with a ZIP extension of the affected computer. This way, if the user descompresses a ZIP file and runs the malicious file, the computer will get infected.
  • It deletes the files belonging to several antivirus programs, leaving the computer vulnerable against possible malware.
  • It ends the processes whose window title contains any of the following text strings:
    CMD.EXE
    COMMAND PROMPT
    CONFIRM FILE DELETE
    CONFIRM MULTIPLE FILE DELETE
    DISPLAY PROPERTIES
    EASYRECOVERY
    EXESCOPE
    HEX WORKSHOP
    HIJACKTHIS
    IDA
    INTERNET OPTIONS
    KILLBOX
    NORMAN
    NVC
    PC MEDIA
    PEID
    POCKET KILLBOX
    POWERQUEST
    PROCESS
    REGISTRY EDITOR
    RESOURCE HACKER
    SETUP
    SHOW/KILL RUNNING PROCESS
    SUPERDAT
    SYSTEM MECHANIC
    SYSTEM RESTORE
    SYSTUNER
    TASK MANAGER
    taskkill.exe /f /im explorer.exe
    taskkill.exe /f /im explorer.exe
    TUNEUP
    URSOFT W32DASM
    WINDOWS TASK MANAGER
    XREFS
    ZONEALARM
    These processes are related to security programs and applications like the Task manager or the command shell, among others.

Infection strategy 

Brontok.KN creates the file ASSHOLEFUCKING.EXE and other 5 random files in the following directories:

  • in a folder created by itself in any Windows subdirectory. It also creates the files: BITCHKICKASS.OCX and FUCKINGBITCH.OCX.
  • in the root directory of the C: drive.
  • in the Windows directory.

An example of the random files it creates are the following:

- GUHEL.EXE

- BUHAX.EXE

- YIXUC.EXE

- YITUB.EXE

- XESID.EXE

Additionally, it creates the file .EXE in the root directory of the C: drive.

Brontok.KN modifies the file HOSTS leaving it empty.

 

On the other hand, Brontok.KN infects the files with an EXE extension it finds in the computer, using the technique called prepending which consists in entering its code at the beginning of the file it infects. By doing this, it ensures that the virus is run every time the infected file is executed, but without interfering the functioning of the file.

Additionally, before infecting the files, it creates a copy of the original files in the Windows temporary directory with the same name as the original files and with a NITRO.A extension.

 

Brontok.KN creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Nitro.A
    BitchHoletoFuck = guhel.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Nitro.A
    ChatApplication = buhax.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Nitro.A
    FuckMeBitch = yixuc.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Nitro.A
    MainApplication = yitub.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Nitro.A
    PolitikusBusuk = xesid.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Nitro.A
    PlaceOfApplication = C:\WINDOWS

Means of transmission 

Brontok.KN infects files with an EXE extension. They reach computers when previously infected files are distributed, entering computers through any of the usual channels: floppy disks, email messages with attachments, Internet download, files transferred via FTP, IRC channels, P2P file sharing networks, etc.

Further Details  

Brontok.KN is 143,365 bytes in size.