Installation
When the infected file is first launched, the user will see a Windows Explorer window, with an open 'My Pictures' folder.
When installing, the worm modifies the following keys of the system registry, disabling system registry tools, the command line, and displaying files and folders in Windows Explorer.
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"="1"
"DisableCMD"="0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"="0"
"HideFileExt"="1"
"ShowSuperHidden"="0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions"="1"
For example, the following message will be displayed when the registry editor is launched:
The worm then gets a path to Application Data for the current user (%UserProfile%\Local Settings\Application Data) and copies its body to this directory under the following names:
%UserProfile%\Local Settings\Application Data\csrss.exe
%UserProfile%\Local Settings\Application Data\inetinfo.exe
%UserProfile%\Local Settings\Application Data\lsass.exe
%UserProfile%\Local Settings\Application Data\services.exe
%UserProfile%\Local Settings\Application Data\smss.exe
%UserProfile%\Local Settings\Application Data\svchost.exe
%UserProfile%\Local Settings\Application Data\winlogon.exe
A text file called Kosong.Bron.Tok.txt (51 bytes in size) is also created in this directory. The file has the following contents:
By: HVM31
-- JowoBot #VM Community --
The worm also copies its body to the Windows root directory (%WinDir%) under the following name:
and to the ShellNew subdirectory under a name generated as follows: bbm-
and to the Windows system directory under the following names:
%System%\cmd-bro-
%System%\%UserName%'s Setting.scr
The worm also copies itself to the Start menu Autorun directory as Empty.pif:
and to the Document Template subdirectory:
and to the My Pictures directory of the current user:
An HTML page called about.Brontok.A.html is also created in this directory:
