W32.Rontokbro@mm

Printer Friendly Page

Discovered: September 23, 2005
Updated: December 13, 2013 7:25:44 AM
Systems Affected: Windows

W32.Rontokbro@mm is a mass-mailing worm that causes system instability.

Discovered: September 23, 2005
Updated: December 13, 2013 7:25:44 AM
Systems Affected: Windows

W32.Rontokbro@mm is a mass-mailing worm that causes system instability.

When the worm is executed, it copies itself as:
C:\Windows\PIF\CVT.exe
%UserProfile%\APPDATA\IDTemplate.exe
%UserProfile%\APPDATA\services.exe
%UserProfile%\APPDATA\lsass.exe
%UserProfile%\APPDATA\inetinfo.exe
%UserProfile%\APPDATA\csrss.exe
%UserProfile%\Programs\Startup\Empty.pif
%UserProfile%\Templates\A.kotnorB.com
%System%\3D Animation.scr

It creates the following folder:
%UserProfile%\Local Settings\Application Data\Bron.tok-24

It overwrites C:\Autoexec.bat with the following text:
"pause"

The worm creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Bron-Spizaetus" = "C:\WINDOWS\PIF\CVT.exe"

It may modify some of the following registry entries:
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Policies\System\"DisableRegistryTools" = "1"
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Policies\System\"DisableCMD" = "2"
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Policies\Explorer\"NoFolderOptions" = "1"

It adds a task to the Windows scheduler to execute the following file at 5:08 PM every day:
%UserProfile%\Templates\A.kotnorB.com

The worm will reboot the computer when it detects a window whose title contains one of the following strings:
..
.@
@.
.ASP
.EXE
.HTM
.JS
.PHP
ADMIN
ADOBE
AHNLAB
ALADDIN
ALERT
ALWIL
ANTIGEN
APACHE
APPLICATION
ARCHIEVE
ASDF
ASSOCIATE
AVAST
AVG
AVIRA
BILLING@
BLACK
BLAH
BLEEP
BUILDER
CANON
CENTER
CILLIN
CISCO
CMD.
CNET
COMMAND
COMMAND PROMPT
CONTOH
CONTROL
CRACK
DARK
DATA
DATABASE
DEMO
DETIK
DEVELOP
DOMAIN
DOWNLOAD
ESAFE
ESAVE
ESCAN
EXAMPLE
FEEDBACK
FIREWALL
FOO@
FUCK
FUJITSU
GATEWAY
GOOGLE
GRISOFT
GROUP
HACK
HAURI
HIDDEN
HP.
IBM.
INFO@
INTEL.
KOMPUTER
LINUX
LOG OFF WINDOWS
LOTUS
MACRO
MALWARE
MASTER
MCAFEE
MICRO
MICROSOFT
MOZILLA
MYSQL
NETSCAPE
NETWORK
NEWS
NOD32
NOKIA
NORMAN
NORTON
NOVELL
NVIDIA
OPERA
OVERTURE
PANDA
PATCH
POSTGRE
PROGRAM
PROLAND
PROMPT
PROTECT
PROXY
RECIPIENT
REGISTRY
RELAY
RESPONSE
ROBOT
SCAN
SCRIPT HOST
SEARCH R
SECURE
SECURITY
SEKUR
SENIOR
SERVER
SERVICE
SHUT DOWN
SIEMENS
SMTP
SOFT
SOME
SOPHOS
SOURCE
SPAM
SPERSKY
SUN.
SUPPORT
SYBARI
SYMANTEC
SYSTEM CONFIGURATION
TEST
TREND
TRUST
UPDATE
UTILITY
VAKSIN
VIRUS
W3.
WINDOWS SECURITY.VBS
WWW
XEROX
XXX
YOUR
ZDNET
ZEND
ZOMBIE

It may also launch a ping flood attack on the following sites:
israel.gov.il
playboy.com

The worm gathers email addresses from files with the following extensions on all local drives from C to Y:
.asp
.cfm
.csv
.doc
.eml
.html
.php
.txt
.wab

The worm will not send itself to email addresses that contain any of the following strings in the domain name:
PLASA
TELKOM
INDO
.CO.ID
.GO.ID
.MIL.ID
.SCH.ID
.NET.ID
.OR.ID
.AC.ID
.WEB.ID
.WAR.NET.ID
ASTAGA
GAUL
BOLEH
EMAILKU
SATU

The worm may append the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers:
smtp.
mail.
ns1.

The worm then uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:

From: [SPOOFED]

Subject: [BLANK]

Message:
BRONTOK.A [ By: HVM31 -- JowoBot #VM Community ]
-- Hentikan kebobrokan di negeri ini --
1. Adili Koruptor, Penyelundup, Tukang Suap, Penjudi, & Bandar NARKOBA
( Send to "NUSAKAMBANGAN")
2. Stop Free Sex, Absorsi, & Prostitusi
3. Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar.
4. SAY NO TO DRUGS !!!
-- KIAMAT SUDAH DEKAT --
Terinspirasi oleh: Elang Brontok (Spizaetus Cirrhatus) yang hampir punah[ By: HVM31 ]-- JowoBot #VM Community --

Attachment:
Kangen.exe

Discovered: September 23, 2005
Updated: December 13, 2013 7:25:44 AM
Systems Affected: Windows

You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your computer has been affected by this risk.

Before proceeding further we recommend that you run a full system scan . If that does not resolve the problem you can try one of the options available below.



FOR NORTON USERS
If you are a Norton product user, we recommend you try the following resources to remove this risk.

Removal Tool


If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .


How to reduce the risk of infection
The following resources provide further information and best practices to help reduce the risk of infection.


FOR BUSINESS USERS
If you are a Symantec business product user, we recommend you try the following resources to remove this risk.

Identifying and submitting suspect files
Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.


Removal Tool

If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .


How to reduce the risk of infection
The following resource provides further information and best practices to help reduce the risk of infection.
Protecting your business network



MANUAL REMOVAL
The following instructions pertain to all current Symantec antivirus products.

1. Performing a full system scan
How to run a full system scan using your Symantec product


2. Restoring settings in the registry
Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.