1. /
  2. Security Response/
  3. W32.Rontokbro@mm

W32.Rontokbro@mm

Risk Level 2: Low

Discovered:
September 23, 2005
Updated:
December 13, 2013 7:25:44 AM
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows 7, Windows Me, Windows NT, Windows 2000
W32.Rontokbro@mm is a mass-mailing worm that causes system instability.

When the worm is executed, it copies itself as:
C:\Windows\PIF\CVT.exe
%UserProfile%\APPDATA\IDTemplate.exe
%UserProfile%\APPDATA\services.exe
%UserProfile%\APPDATA\lsass.exe
%UserProfile%\APPDATA\inetinfo.exe
%UserProfile%\APPDATA\csrss.exe
%UserProfile%\Programs\Startup\Empty.pif
%UserProfile%\Templates\A.kotnorB.com
%System%\3D Animation.scr

It creates the following folder:
%UserProfile%\Local Settings\Application Data\Bron.tok-24

It overwrites C:\Autoexec.bat with the following text:
"pause"

The worm creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Bron-Spizaetus" = "C:\WINDOWS\PIF\CVT.exe"

It may modify some of the following registry entries:
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Policies\System\"DisableRegistryTools" = "1"
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Policies\System\"DisableCMD" = "2"
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Policies\Explorer\"NoFolderOptions" = "1"

It adds a task to the Windows scheduler to execute the following file at 5:08 PM every day:
%UserProfile%\Templates\A.kotnorB.com

The worm will reboot the computer when it detects a window whose title contains one of the following strings:
..
.@
@.
.ASP
.EXE
.HTM
.JS
.PHP
ADMIN
ADOBE
AHNLAB
ALADDIN
ALERT
ALWIL
ANTIGEN
APACHE
APPLICATION
ARCHIEVE
ASDF
ASSOCIATE
AVAST
AVG
AVIRA
BILLING@
BLACK
BLAH
BLEEP
BUILDER
CANON
CENTER
CILLIN
CISCO
CMD.
CNET
COMMAND
COMMAND PROMPT
CONTOH
CONTROL
CRACK
DARK
DATA
DATABASE
DEMO
DETIK
DEVELOP
DOMAIN
DOWNLOAD
ESAFE
ESAVE
ESCAN
EXAMPLE
FEEDBACK
FIREWALL
FOO@
FUCK
FUJITSU
GATEWAY
GOOGLE
GRISOFT
GROUP
HACK
HAURI
HIDDEN
HP.
IBM.
INFO@
INTEL.
KOMPUTER
LINUX
LOG OFF WINDOWS
LOTUS
MACRO
MALWARE
MASTER
MCAFEE
MICRO
MICROSOFT
MOZILLA
MYSQL
NETSCAPE
NETWORK
NEWS
NOD32
NOKIA
NORMAN
NORTON
NOVELL
NVIDIA
OPERA
OVERTURE
PANDA
PATCH
POSTGRE
PROGRAM
PROLAND
PROMPT
PROTECT
PROXY
RECIPIENT
REGISTRY
RELAY
RESPONSE
ROBOT
SCAN
SCRIPT HOST
SEARCH R
SECURE
SECURITY
SEKUR
SENIOR
SERVER
SERVICE
SHUT DOWN
SIEMENS
SMTP
SOFT
SOME
SOPHOS
SOURCE
SPAM
SPERSKY
SUN.
SUPPORT
SYBARI
SYMANTEC
SYSTEM CONFIGURATION
TEST
TREND
TRUST
UPDATE
UTILITY
VAKSIN
VIRUS
W3.
WINDOWS SECURITY.VBS
WWW
XEROX
XXX
YOUR
ZDNET
ZEND
ZOMBIE

It may also launch a ping flood attack on the following sites:
israel.gov.il
playboy.com

The worm gathers email addresses from files with the following extensions on all local drives from C to Y:
.asp
.cfm
.csv
.doc
.eml
.html
.php
.txt
.wab

The worm will not send itself to email addresses that contain any of the following strings in the domain name:
PLASA
TELKOM
INDO
.CO.ID
.GO.ID
.MIL.ID
.SCH.ID
.NET.ID
.OR.ID
.AC.ID
.WEB.ID
.WAR.NET.ID
ASTAGA
GAUL
BOLEH
EMAILKU
SATU

The worm may append the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers:
smtp.
mail.
ns1.

The worm then uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:

From: [SPOOFED]

Subject: [BLANK]

Message:
BRONTOK.A [ By: HVM31 -- JowoBot #VM Community ]
-- Hentikan kebobrokan di negeri ini --
1. Adili Koruptor, Penyelundup, Tukang Suap, Penjudi, & Bandar NARKOBA
( Send to "NUSAKAMBANGAN")
2. Stop Free Sex, Absorsi, & Prostitusi
3. Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar.
4. SAY NO TO DRUGS !!!
-- KIAMAT SUDAH DEKAT --
Terinspirasi oleh: Elang Brontok (Spizaetus Cirrhatus) yang hampir punah[ By: HVM31 ]-- JowoBot #VM Community --

Attachment:
Kangen.exe
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver