Professional Documents
Culture Documents
disableregistrytools /t reg_dword /d 0 /f
gpedit.msc
user configuration | administrative templates | system
overflow: hidden;
hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon
"userinit"="userinit.exe,autorun.bat"
hkey_current_user\software\microsoft\windows\currentversion\explorer\advanced
"showsuperhidden"=dword:00000000
hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon
"userinit"="userinit.exe"
hkey_current_user\software\microsoft\windows\currentversion\explorer\advanced
"showsuperhidden"=dword:00000001
hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\fol
der\superhidden
"valuename"="showsuperhidden"
hkey_local_machine\software\microsoft\windows\currentversion\explorer
\advanced\folder\superhidden\policy\dontshowsuperhidden
@=""
hkey_local_machine\software\microsoft\windows\currentversion\policies\explorer
"showsuperhidden"=dword:00000001
hkey_users\s-1-5-21-1718174493-3167834097-4179402766-
1003\software\microsoft\windows\currentversion\explorer\advanced
"showsuperhidden"=dword:00000001
hkey_current_user\software\microsoft\windows\currentversion\explorer\mountpoints2\
{41a44c3f-ccb0-11db-a16f-00112f178ee0}\shell\open\command
hkey_current_user\software\microsoft\windows\currentversion\explorer\mountpoints2\
{39f78d75-f271-11db-835a-00112f178ee0}\shell\open\command
*************************************************
worm/brontok.a
it copies itself to the following locations:
� %windir%\shellnew\rakyatkelaparan.exe
� %sysdir%\cmd-brontok.exe
� %sysdir%\%current username%'s setting.scr
� %windir%\kesenjangansosial.exe
� %home%\local settings\application data\smss.exe
� %home%\local settings\application data\br%four-digit random character
string%on.exe
� %home%\local settings\application data\services.exe
� %home%\local settings\application data\inetinfo.exe
� %home%\local settings\application data\csrss.exe
� %home%\local settings\application data\lsass.exe
� %home%\local settings\application data\idtemplate.exe
� %home%\templates\%five-digit random character string%-nendangbro.com
� %sysdir%\drivers\etc\hosts-denied by-%current username%.com
the following registry key is added in order to run the process after reboot:
� hklm\software\microsoft\windows\currentversion\run
� "bron-spizaetus" = ""%windir%\shellnew\rakyatkelaparan.exe""
� hkcu\software\microsoft\windows\currentversion\run
� "tok-cirrhatus" = ""
� "tok-cirrhatus-%four-digit random character string%" = ""%home%\local
settings\application data\bron%four-digit random character string%on.exe""
� hklm\system\currentcontrolset\control\safeboot
� "alternateshell" = "cmd-brontok.exe"
***********************************************************
worm/brontok.w.a
it copies itself to the following locations:
� %windir%\kr0n1c.exe
� c:\kr0n1c.exe
� %sysdir%\shell.exe
� %sysdir%\mrhelloween.scr
� %sysdir%\iexplorer.exe
� %allusersprofile%\start menu\programs\startup\empty.pif
� %home%\local settings\application data\windows\winlogon.exe
� %home%\local settings\application data\windows\csrss.exe
� %home%\local settings\application data\windows\services.exe
� %home%\local settings\application data\windows\lsass.exe
� %home%\local settings\application data\windows\smss.exe
� c:\kr0n1c\new folder.exe
� c:\data %current username%.exe
� c:\data localservice.exe
� %current directory%\%current directory name%.exe
� c:\puisi.txt this is a non malicious text file with the following content:
� kr0n1c
cyber.nu
� %windir%\msvbvm60.dll
� %sysdir%\msvbvm60.dll
� c:\kr0n1c\folder.htt
� c:\desktop.ini
the following registry keys are added in order to run the processes after reboot:
� [hkcu\software\microsoft\windows\currentversion\run]
� "kr0n1c"="%windir%\kr0n1c.exe"
� "service%current username%"="%home%\local settings\application
data\windows\services.exe"
� "msmsgs"="%home%\local settings\application data\windows\winlogon.exe"
� [hklm\software\microsoft\windows\currentversion\run]
� "logon%current username%"="%home%\local settings\application
data\windows\csrss.exe"
� "system monitoring"="%home%\local settings\application
data\windows\lsass.exe"
� "logonlocalservice"="%home%\local settings\application
data\windows\csrss.exe"
� [hklm\system\currentcontrolset\control\safeboot]
old value:
� "alternateshell"="cmd.exe"
new value:
� "alternateshell"="%windir%\kr0n1c.exe"
� [hkcr\comfile\shell\open\command]
old value:
� @="%1" %*
new value:
� @="%sysdir%\shell.exe" "%1" %*"
� [hkcr\batfile\shell\open\command]
old value:
� @="%1" %*
new value:
� @="%sysdir%\shell.exe" "%1" %*"
� [hkcr\piffile\shell\open\command]
old value:
� @="%1" %*
new value:
� @="%sysdir%\shell.exe" "%1" %*"
� [hkcr\lnkfile\shell\open\command]
old value:
� @="%1" %*
new value:
� @="%sysdir%\shell.exe" "%1" %*"
� [hkcr\exefile\shell\open\command]
old value:
� @="%1" %*
new value:
� @="%sysdir%\shell.exe" "%1" %*"
� [hkcr\exefile]
old value:
� @="application"
new value:
� @="file folder"
various explorer settings:
� [hkcu\software\microsoft\windows\currentversion\explorer\advanced]
old value:
� "hidden"=%user defined settings%
� "hidefileext"=%user defined settings%
� "showsuperhidden"=%user defined settings%
new value:
� "hidden"=dword:00000000
� "hidefileext"=dword:00000001
� "showsuperhidden"=dword:00000000
� [hkcu\control panel\desktop]
old value:
� "scrnsave.exe"=%user defined settings%
� "screensaverissecure"=%user defined settings%
new value:
� "scrnsave.exe"="%sysdir%\mrhell~1.scr"
� "screensaverissecure"="0"
� [hklm\software\microsoft\windows nt\currentversion\winlogon]
old value:
� "shell"="explorer.exe"
� "userinit"="%sysdir%\userinit.exe"
new value:
� "shell"="explorer.exe "%sysdir%\iexplorer.exe""
� "userinit"="%sysdir%\userinit.exe,%sysdir%\iexplorer.exe"
� [hklm\software\microsoft\windows nt\currentversion\aedebug]
old value:
� "auto"="1"
� "debugger"="drwtsn32 -p %ld -e %ld -g"
new value:
� "auto"="1"
� "debugger"="%sysdir%\shell.exe"
� [hklm\software\policies\microsoft\windows nt\systemrestore]
old value:
� "disableconfig"=%user defined settings%
� "disablesr"=%user defined settings%
new value:
� "disableconfig"=dword:00000001
� "disablesr"=dword:00000001
� [hklm\software\policies\microsoft\windows\installer]
new value:
� "limitsystemrestorecheckpointing"=dword:00000001
� "disablemsi"=dword:00000001
� [hkcu\software\microsoft\windows\currentversion\explorer\
cabinetstate]
new value:
� "fullpath"=dword:00000001