[email protected]

Aliases: W32/Brontok-AJ, W32/Brontok-AZ,
Variants: Email-Worm:W32/Brontok.N

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 22 Apr 2006
Damage: Low

Characteristics: The [email protected] is a mass mailing worm that lessens the computer's security settings.

More details about [email protected]

When the [email protected] threat is launched, it duplicates itself as the files “%Windir%\j[RANDOM].exe”, “%Windir%\o[RANDOM].exe”, “%Windir%\_default[RANDOM].pif”, “%System%\c_[RANDOM]k.com”, and “%UserProfile%\Local Settings\Application Data\jalak-93[RANDOM]15-bali.com”. The worm then changes the name “%System%\msvbvm60.dll” to “%System%\msvbvm60.dll.[RANDOM]”. After that, the worm makes the file “C:\Baca Bro!!!.txt” as a marker of infection. Then, the worm creates the folders “%System%\s87[RANDOM]”, “%Windir%\ad[RANDOM]”, and “%UserProfile%\Local Settings\Application Data\dv6[RANDOM]0x”. The worm then duplicates itself into the folders above as one or more of the following files: “c.bron.tok.txt”, “getdomlist.txt”, “csrss.exe”, “lsass.exe”, “services.exe”, and “smss.exe”.

The [email protected] program may also gather email addresses stored on computer’s hard disk. The program will automatically send itself through email by directly connecting to the recipient's Simple Mail Transfer Protocol (SMTP) server. An unsuspecting user typically installs the [email protected] program by unintentionally opening an email attachment or message containing executable scripts. The program replicates itself on the user's system until the time that it does take up all the available memory on the computer. This may cause the system to slow down. It may even cause the system to crash. The [email protected] worm also consumes the hard disk’s available space and this will restrict the user from saving or creating new files.