Software hack billing warnet untukmu. Syaikal Rahman September 1 2014 at 7:43 pm Dari Pada Agan Semua Mixhack Mending Nonton film. May 12, 2018 Cara Hack semua jenis Billing Warnet dengan cara yang sangat mudah dan simple Main Sepuasnya. Seharian,semalaman bisa. Asal gak ketahuan. Kalau berhasil,jangan lupa Subscribe & Like nya.
Short description
Win32/Brontok.BR is a worm that spreads via e-mail, shared folders and removable media. The file is run-time compressed using MEW .
Installation
When executed the worm copies itself in the following locations:
- %localappdata%br%variable1%on.exe
- %localappdata%csrss.exe
- %localappdata%inetinfo.exe
- %localappdata%lsass.exe
- %localappdata%services.exe
- %localappdata%smss.exe
- %localappdata%winlogon.exe
- %startup%Empty.pif
- %system%%username%'s Setting.scr
- %system%cmd-brontok.exe
- %system%driversetchosts-Denied By-%username%.com
- %templates%14004-NendangBro.com
- %windir%KesenjanganSosial.exe
- %windir%ShellNewRakyatKelaparan.exe
The worm creates the following files:
- %localappdata%Kosong.Bron.Tok.txt (51 B)
- %userprofile%My Picturesabout.Brontok.A.html (1064 B)
The worm creates the following folders:
- %localappdata%Ok-SendMail-Bron-tok
- %localappdata%Bron.tok-16-%variable2%
- %localappdata%Loc.Mail.Bron.Tok
In order to be executed on every system start, the worm sets the following Registry entries:
- [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
- 'Bron-Spizaetus' = '%windir%ShellNewRakyatKelaparan.exe'
- [HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurentVersionWinlogon]
- 'Shell' = 'Explorer.exe '%windir%KesenjanganSosial.exe'
- [HKEY_LOCAL_MACHINESystemCurrentSontrolSetControlSafeBoot]
- 'AlternateShell' = 'cmd-brontok.exe'
- [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
- 'Tok-Cirrhatus-%variable3%' = '%localappdata%br%variable1%on.exe'
The following Registry entries are set:
- [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
- 'DisableRegistryTools' = 1
- 'DisableCMD' = 0
- [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer]
- 'NoFolderOptions' = 1
- [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerAdvanced]
- 'Hidden' = 0
- 'HideFileExt' = 1
- 'ShowSuperHidden' = 0
The worm may set the following Registry entries:
- [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
- 'LoadService' = '
- 'CCAPPS' = '
- 'OSA' = '
- 'SymRun' = '
- 'local service' = '
- 'Security' = '
- [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
- 'LoadService' = '
- 'CCAPPS' = '
- 'OSA' = '
- 'SymRun' = '
- 'local service' = '
- 'Security' = '
The worm schedules a task that causes the following file to be executed daily:
The worm replaces the following file by one downloaded from the Internet:
This blocks access to several Internet servers.
The worm modifies the following file:
The worm writes the following entries to the file:
The following files are deleted:
- %system%ccapps.exe
- %system%kangen.exe
- %system%syslove.exe
- %system%winword.exe
- %windir%Fontstskmgr.exe
- %windir%rundll32.exe
- %windir%Systray.exe
- C:!Submitwinword.exe
- C:!Submitxpshare.exe
- C:WindowsSystray.exe
A string with variable content is used instead of %variable1-3% .
Tomtom keygen v3.1c rapidshare. Here is the latest Keygen,thanks to BenBBS: Same functions as KeygenV3.1c plus: Multi language support Faster Now you can even generate your own meta code if you buy a new map and like to share it! It's all running under Windows and no hassle with copying files looking for codes and so on. If your map code is not in the meta.txt provided you can download the latest meta.txt directly with.
Spreading on removable media
The worm copies itself into the root folders of removable drives using the following name:
Spreading via e-mail
Win32/Brontok.BR is a worm that spreads via e-mail.
E-mail addresses for further spreading are searched for in local files with one of the following extensions:
Addresses containing the following strings are avoided:
- .
- .@
- .AC.ID
- .ASP
- .CO.ID
- .EXE
- .GO.ID
- .HTM
- .JS
- .MIL.ID
- .NET.ID
- .OR.ID
- .PHP
- .SCH.ID
- .VBS
- .WAR.NET.ID
- .WEB.ID
- @.
- @123
- @ABC
- @MAC
- ADMIN
- ADOBE
- AHNLAB
- ALADDIN
- ALERT
- ALWIL
- ANTIGEN
- APACHE
- ARCHIEVE
- ASDF
- ASSOCIATE
- ASTAGA
- AVAST
- AVG
- AVIRA
- BILLING@
- BLACK
- BLAH
- BLEEP
- BOLEH
- BROWSE
- BUG
- BUILDER
- BUNTU
- CANON
- CILLIN
- CISCO
- CLICK
- CNET
- COMPUSE
- COMPUTE
- CONTOH
- CRACK
- DARK
- DATABASE
- DEMO
- DEVELOP
- DOMAIN
- DOWNLOAD
- ELECTRO
- ELEKTRO
- EMAILKU
- ESAFE
- ESAVE
- ESCAN
- EXAMPLE
- FEEDBACK
- FOO@
- FREE
- FUCK
- FUJI
- FUJITSU
- GATEWAY
- GAUL
- GRISOFT
- GROUP
- HACK
- HAURI
- HIDDEN
- HP.
- IBM.
- IEEE
- INDO
- INFO@
- INFORMA
- INTEL.
- IPTEK
- KDE
- KOMPUTER
- LAB
- LINUX
- LOOKSMART
- LOTUS
- LUCENT
- MACRO
- MASTER
- MATH
- MICRO
- MICROSOFT
- MOZILLA
- MYSQL
- NASA
- NETSCAPE
- NETWORK
- NEWS
- NOD32
- NOKIA
- NORMAN
- NORTON
- NOVELL
- NVIDIA
- OPERA
- OVERTURE
- PANDA
- PLASA
- POSTGRE
- PROGRAM
- PROLAND
- PROMO
- PROTECT
- PROXY
- RECIPIENT
- REDHA
- REGIST
- RELAY
- RESPONSE
- ROBOT
- SALES
- SATU
- SECUN
- SECURE
- SECURITY
- SEKUR
- SENIOR
- SERVER
- SERVICE
- SIEMENS
- SIERRA
- SLACK
- SMTP
- SOFT
- SOME
- SOURCE
- SPAM
- SPERSKY
- SPYW
- STUDIO
- SUN.
- SUPPORT
- SUSE
- SYBARI
- SYMANTEC
- SYNDICAT
- TELECOM
- TELKOM
- TEST
- TRACK
- TREND
- TRUST
- UPDATE
- USERNAME
- VAKSIN
- VIRUS
- W3.
- WWW
- XANDROS
- XEROX
- XXX
- YOUR
- ZDNET
- ZEND
- ZOMBIE
The sender address is one of the following:
- Photo_%variable%@friendster.com
- PicSender_%variable%@friendster.com
- Photo_%variable%@boleh.com
- Galeri_%variable%@boleh.com
A string with variable content is used instead of %variable% .
The message depends entirely on data the worm downloads from the Internet.
Spreading via shared folders
The worm searches for various shared folders.
The executables of the worm are copied there using a filename of a file already present in the folder.
An additional '.exe' extension is appended.
Alternatively, the following name may be used:
Other information
The worm acquires data and commands from a remote computer or the Internet.
The worm contains a list of (4) URLs. The HTTP protocol is used.
The worm tries to download a file from the Internet. The file is then executed.
The worm performs DoS attack against 2 servers.
The worm restarts the operating system if there is a window with any of the following strings in the name:
- .EXE
- BLEEPING
- CLEANER
- COMMAND PROMPT
- FAJARWEB
- GROUP POLICY
- HIJACK
- KILLBOX
- LOG OFF WINDOWS
- MOVZX
- PROCESS EXP
- REGISTRY
- REMOVER
- SCRIPT HOST
- SHUT DOWN
- SYSINTERNAL
- SYSTEM CONFIGURATION
- TASK KILL
- TASKKILL
The following programs are terminated:
- ashmaisv.exe
- aswupdsv.exe
- avgemc.exe
- ccapps.exe
- cclaw.exe
- mcvsescn.exe
- nipsvc.exe
- njeeves.exe
- nvcoas.exe
- poproxy.exe
- riyani_jangkaru.exe
- syslove.exe
- systray.exe
- tskmgr.exe
- xpshare.exe
Alvin taylor serial killer. The worm executes the following commands:
- at /delete /y
- at 17:08 /every:M,T,W,Th,F,S,Su '%templates%14004-NendangBro.com'
- at 11:03 /every:M,T,W,Th,F,S,Su '%templates%14004-NendangBro.com'
- ping kaskus.com -n 250 -l 747
- ping 17tahun.com -n 250 -l 747
The worm searches for files which contain any of the following strings in their file name:
- .DOC.EXE
- .XLS.EXE
- PATAH
- HATI
- CINTA
- UNTUKMU
- DATA-TEMEN
- RIYANI
- JANGKARU
- KANGEN
- JROX
- kangen.exe
- untukmu.exe
- myheart.exe
- my heart.exe
- jangan dibuka.exe
The worm then deletes the found files.
The worm searches local drives for files with the following file extensions:
When the worm finds a file matching the search criteria, it creates a new copy of itself.
The file name and extension of the newly created file is derived from the original one. An additional '.exe' extension is appended.
The worm displays the following message: