Worm/Win32.Brontok.gen undetected by Avast

This is a very nasty worm. After bootup it displays a message.(Screenshot)

File is detected on Virustotal but not here in my VM: https://www.virustotal.com/de/file/6ad08f344e5825e864fa39dd307b8543bf836b38c39a25d38636129d4e2523e3/analysis/

After restart i got a message of the MS-Dos 16 Bit Subsystem. (Screenshot 2)

Regedit and Task Manager get killed immediatly after opening.

Malwr: https://malwr.com/analysis/MzkwMjMwMjZmZjYyNDNlZWJjOTczYmQ2MmEwNTRiM2I/

Heres a screenshot of the MS-DOS Error message.

Hi Steven Winderlich,

The file detection is one month old, maybe the malcode now is dead, has been closed down or is no longer available.

polonus

Could be so.

I got this from the todays virussign samples.

Here is a fresh scan: https://www.virustotal.com/de/file/6ad08f344e5825e864fa39dd307b8543bf836b38c39a25d38636129d4e2523e3/analysis/1386628830/

First submission was 4 months ago.

I dont have .NET or anything installed, maybe thats why it crashes. Its just blank Windows 7.

Hi Steven Winderlich,

Yep, you are right, analyzed here for all of us at: https://malwr.com/analysis/MzkwMjMwMjZmZjYyNDNlZWJjOTczYmQ2MmEwNTRiM2I/
Complicated UPX detection, because of

{u’size_of_data’: u’0x00000000’, u’virtual_address’: u’0x00001000’, u’entropy’: 0.0, u’name’: u’UPX0’, u’virtual_size’: u’0x00023000’}
UPX detections always come FP-prone.
Checking the section names of the executable. UPX changes them to UPX0, UPX1, UPX2, is an unreliable method, because
The sections of some (packed/encrypted) images are renamed to “standard”/“traditional” sections names. The names of the sections is never “interpreted” by the Loader. The names of the sections are sometimes even missing (aka removed) by some tools.
Quote credits go to Stackoverflows’ mox, and the second quote credits go to Stackoverflow’s Willi Ballenthin →
Running additional packers or obfuscators may further modify the section names; however, by default, the UPX packer will change the section names described above.
* So a valid detection always hangs in the balance, so to say [* note by, me, pol)

But more likely to be malicious, because of:

installs itself for Autorun at Windows startup
last quote from Malwr analysis results.

polonus

I can check again with .NET Java and Flash installed tomorrow.

All undetected files are reported to Avast.

Can you send samples to me as well?

Yep. Just PM me a mail adress or something where i can send them to you.

Hi Steven Winderlich and magna86,

Thanks for helping towards detection, analyzing and eventual cleansing. Great job, folks,

Damian

Uploaded the files in an password protected 7Zip archive.

Can send you a download link if you want.

Thanks for samples. I shall test it as well. :wink:

Not on your real system please. :wink:

Send me a PM aswell, would like to test stuff as well. Thanks

@Steven Winderlich
You there have an sample for the latest ZeroAccess variant, you know. :slight_smile:

And are you guys interested in my analysis? :stuck_out_tongue:

This variant of malware creates the following processes:

C:\Windows\SysWOW64\shell.exe
C:\Users\Magna\Local Settings\Application Data\WINDOWS\cute.exe
C:\Users\Magna\Local Settings\Application Data\WINDOWS\imoet.exe
C:\Windows\tiwi.exe
C:\Windows\SysWOW64\IExplorer.exe
C:\Users\Magna\Local Settings\Application Data\WINDOWS\winlogon.exe

Malware uses more then one as its loading point:
I have not written a full registry path, who knows how to manipulate with regedit, then it will also know how to find a full path in the registry for mentioned keys.

Under 32bit Winlogon key, Userinit and Shell value, and malware uses legit userinit.exe and Explorer.exe for loading C:\Windows\system32[b]IExplorer.exe[/b] malicious file.
Under HKCU.…\Run key malware sets tiwi values and loading file is in windows directory as tiwi.exe
Under HKCU.…\Run key malware sets MSMSGS values and loading file is in C:\Users\Magna\Local Settings\Application Data\WINDOWS directory as winlogon.exe

Under 32bit HKLM.…\Run it creates Logon value with point on malicious C:\Users\Magna\Local Settings\Application Data\WINDOWS[b]imoet.exe[/b] file to load.
Same key as above … creates System Monitoring value with point on malicious C:\Users\Magna\Local Settings\Application Data\WINDOWS[b]cute.exe[/b] file
And in AlternateShell value it create the key for running C:\Windows[b]tiwi.exe[/b]. This I think allows malware to load in safe mode.

Malware sets the following policies (in registry) on system in order to protect itself from begin detected:
disableregistrytools
DisableTaskMgr
NoDispSettingsPage
NoFolderOptions
NoTrayContextMenu
NoFind
NoSetFolders
NoRun

Malware creates the following files:
2013-12-10 17:34 - 2013-12-10 17:37 - 00087040 __RSH C:\Windows\tiwi.exe
2013-12-10 17:34 - 2013-12-10 17:37 - 00087040 __RSH C:\tiwi.exe
2013-12-10 17:34 - 2013-12-10 17:37 - 00087040 ____N C:\Windows\SysWOW64\tiwi.scr
2013-12-10 17:34 - 2013-12-10 17:37 - 00087040 ____N C:\Windows\SysWOW64\IExplorer.exe
2013-12-10 17:34 - 2013-12-10 17:37 - 00000729 ____N C:\present.txt
2013-12-10 17:34 - 2013-12-10 17:37 - 00000000 _RSHD C:\Users\Magna\AppData\Local\WINDOWS
2013-12-10 17:34 - 2013-12-10 17:36 - 00087040 ____N C:\Windows\SysWOW64\shell.exe
2013-12-10 17:34 - 2013-12-10 17:34 - 00087040 ____N C:\Tiwi_Cute.exe
2013-12-10 17:34 - 2013-12-10 17:34 - 00087040 ____N C:\Data_Rahasia Magna.exe
2013-12-10 17:34 - 2013-12-10 17:34 - 00000000 ____D C:\Users\Magna\Desktop\Brontok&Samples
2013-12-10 17:34 - 2013-12-05 14:26 - 00087040 _____ C:\Users\Magna\AppData\Local\winlogon.exe
2013-12-10 17:34 - 2013-12-05 14:26 - 00087040 _____ C:\Users\Magna\AppData\Local\tiwi.exe
2013-12-10 17:34 - 2013-12-05 14:26 - 00087040 _____ C:\Users\Magna\AppData\Local\smss.exe
2013-12-10 17:34 - 2013-12-05 14:26 - 00087040 _____ C:\Users\Magna\AppData\Local\imoet.exe
2013-12-10 17:34 - 2013-12-05 14:26 - 00087040 _____ C:\Users\Magna\AppData\Local\IExplorer.exe
2013-12-10 17:34 - 2013-12-05 14:26 - 00087040 _____ C:\Users\Magna\AppData\Local\cute.exe
2013-12-10 17:37 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\Registration
2013-12-10 17:36 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT

Yep.

The VM is completely messed up. Unusable.

Today 3 of the files i send you a download link were detected.

This Worm Brontok is still undetected.

Hi magna86,

So it will start with this known worm, tiwi.exe aka W32.Rahiwi.A!

tiwi.exe is an executable file which primary purpose is to start a parasite or launch some of its components. Once executed, the tiwi.exe file runs a process that is responsible for the parasite's payload. tiwi.exe is a significant part of a dangerous threat, but it can also work on its own. DO NOT execute it! The tiwi.exe file is installed and used by Rahiwi. You are highly advised to scan the system, delete executable tiwi.exe and terminate all the processes it started. In some cases a presence of tiwi.exe does not mean that your system is infected. The file may actually belong to some fully legitimate applications and therefore must stay intact. If you are in doubt, please scan the tiwi.exe file using you regular spyware remover or antivirus program.
info spyware2...but as stated here there is also a benign variant as part of clean applications: http://www.isthisfilesafe.com/sha1/A02D46D883B09F481B496E35B53C8415372C75E5_details.aspx

the malware tiwi.exe aka W32.Rahiwi.A is a worm. It infects all Windows systems and propagates itself by duplicating itself to the root of all drives in removable, local and network shares. The worm is a slow infector. It does low damage to the infected computer and is easy to remove using an updated antivirus software. So we at least should have had protection against this slow infector ::slight_smile:

Damian