Type Mass mailer worm
Date Discovered 2005.09.23
Place of Origin Indonesia
Source Language
Platform MS Windows
File Type(s) .exe, .pif, .scr, .com*
Infection Length 81,920 ytes
Reported Costs

Brontok is a worm from Indonesia with a political message against pollution and immorality. It attacks the Playboy and Israeli government sites.

Table of Contents


Brontok arrives in an email with a spoofed sender address. The subject line is blank. The attachment is Kangen.exe (Kangen is The message body is largely in Indonesian:

  BRONTOK.A [ By: HVM31 -- JowoBot #VM Community ] 
  -- Hentikan kebobrokan di negeri ini -- 
  1. Adili Koruptor, Penyelundup, Tukang Suap, Penjudi, & Bandar NARKOBA 
  ( Send to "NUSAKAMBANGAN") 
  2. Stop Free Sex, Absorsi, & Prostitusi 
  3. Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar. 
  4. SAY NO TO DRUGS !!! 
  Terinspirasi oleh: Elang Brontok (Spizaetus Cirrhatus) yang hampir punah[ By: HVM31 ]--
  JowoBot #VM Community

A rough translation is:
  BRONTOK.A [By: HVM31 - JowoBot # VM Community]
  - Stop the decadence in the country -
  1. Corrupters of judges, smuggling, bribery, gambling, & DRUG trafficking
  (Send to "Nusakambangan Prison")
  2. Stop Free Sex, Absorption, & Prostitutes
  3. Stop (marine and river pollution), forest burning and poaching.
  4. SAY NO TO DRUGS !!!
  - The end is near -
  Inspired by: Eagle Brontok (Spizaetus Cirrhatus) which is almost extinct [By: HVM31] -
  JowoBot # VM Community

Note: Both "Elang" and "Brontok" are Indonesian for "Eagle", however the significance of using the two different names is unknown.
When executed, Brontok creates several copies of itself in a few different directories. The files IDTemplate.exe, services.exe, lsass.exe, inetinfo.exe, csrss.exe go into the user's APPDATA directory. CVT.exe goes into the PIF directory which itself is in the Windows directory. Empty.pif goes into the Startup folder of the start menu. goes into the user's templates directory. 3D Animation.scr goes into the system directory.

It then edits a few registry keys. One is the local machine run key, to which it adds the value "Bron-Spizaetus = C:\WINDOWS\PIF\CVT.exe", ensuring this file is run when the system starts. It adds the file as a task to the Windows scheduler so it executes every day at 5:08PM.

It also changes registry keys to disable cerAbsorsitain functions that could be used to delete the worm. The worm also reboot the computer if it finds any open windows with one of well over a hundred strings in its name. These are mostly antivirus programs as well as what could be websites of several tech-related publications.

The worm launches ping flood attacks on the sites and

Brontok looks for email addresses in files with extensions of .asp, .cfm, .csv, .doc, .eml, .html, .php, .txt and .wab. It avoids sending itself to addresses with an .id TLD as well as ones that contain the strings plasa, telkom, indo, astaga, gaul, boleh, emailku and satu. The worm may append the prefixes smtp., mail. and ns1. to domain names in an attempt to find SMTP servers. It uses its own SMTP engine to send itself.


Brontok variants were appearing in the top 10 charts as late as 2008. By this time, trojans were taking top positions in the charts and adware began topping the charts at that time. Self-replicators, all worms, only represented three at the time.

Note: absorption was meant to be abortion

Sources, W32.Rontokbro@mm. 2005.09.23-2008.01.02

John Leyden. The Register, Adware package tops malware charts for first time. 2008.03.06

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License