W32.Rontokbro.AN@mm

Printer Friendly Page

Discovered: April 22, 2006
Updated: April 23, 2006 1:49:48 PM
Also Known As: W32/Brontok-AJ [Sophos], W32/Brontok-AZ [Sophos], Email-Worm:W32/Brontok.N [F-Secure]
Systems Affected: Windows

W32.Rontokbro.AN@mm is a mass-mailing worm that lowers security settings.

Antivirus Protection Dates

  • Initial Rapid Release version April 22, 2006
  • Latest Rapid Release version August 08, 2016 revision 023
  • Initial Daily Certified version April 22, 2006
  • Latest Daily Certified version August 09, 2016 revision 001
  • Initial Weekly Certified release date April 23, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Discovered: April 22, 2006
Updated: April 23, 2006 1:49:48 PM
Also Known As: W32/Brontok-AJ [Sophos], W32/Brontok-AZ [Sophos], Email-Worm:W32/Brontok.N [F-Secure]
Systems Affected: Windows

W32.Rontokbro.AN@mm is a mass-mailing worm that lowers security settings.

When the threat is installed, it copies itself as the following files:
%Windir%\j[RANDOM].exe
%Windir%\o[RANDOM].exe
%Windir%\_default[RANDOM].pif
%System%\c_[RANDOM]k.com
%UserProfile%\Local Settings\Application Data\jalak-93[RANDOM]15-bali.com

The worm then renames %System%\msvbvm60.dll to %System%\msvbvm60.dll.[RANDOM].

The worm then creates the following file as a marker of infection:
C:\Baca Bro !!!.txt

The worm creates the following folders:
%System%\s87[RANDOM]
%Windir%\ad[RANDOM]
%UserProfile%\Local Settings\Application Data\dv6[RANDOM]0x

The worm then copies itself into the above folders as one or more of the following files:
c.bron.tok.txt
getdomlist.txt
csrss.exe
lsass.exe
services.exe
smss.exe
winlogon.exe
m[RANDOM].exe
zh59[RANDOM].exe
yesbron.com
qm[RANDOM].exe

Then the worm creates the following folders:
%System%\s87[RANDOM]\Spread.Sent.Bro
%System%\s87[RANDOM]\Spread.Mail.Bro

The worm hides all the files and folders that it creates.

The worm creates the following registry entries so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"[RANDOM]" = ""%UserProfile%\LocalSettings\Application Data\dv[RANDOM]0x\yesbron.com""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM]" = ""%System%\s[RANDOM]\zh59[RANDOM].exe""
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"[RANDOM]" = ""%Windir%\_default[RANDOM].pif""
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM]" = ""%Windir%\j[RANDOM].exe""
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\"AlternateShell" = "c_[RANDOM]k.com"

The worm then modifies the following registry entries so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "%System%\userinit.exe,%Windir%\j[RANDOM].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe "%Windir%\o[RANDOM].exe""

The worm creates the following registry subkey:
HKEY_CURRENT_USER\Software\Brontok

The worm also modifies the following registry entries to hide its presence on the compromised computer:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"HideFileExt" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"

The worm modifies the following registry entry to disable the Registry Editor:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegistryTools" = "1"

The worm may add two scheduled tasks:
%Windir%Tasks\At1.job
%Windir%Tasks\At2.job

that execute the following file at 11:03 and 17:08 every day:
%UserProfile%\Local Settings\Application Data\jalak-93[RANDOM]15-bali.com

The worm may replace the existing hosts file with one that contains the following text, so that any attempts to connect to these Web sites fail:
127.0.0.22 mcafee.com
127.0.0.22 www.mcafee.com
127.0.0.22 mcafee.net
127.0.0.22 www.mcafee.net
127.0.0.22 mcafee.org
127.0.0.22 www.mcafee.org
127.0.0.22 mcafeesecurity.com
127.0.0.22 www.mcafeesecurity.com
127.0.0.22 mcafeesecurity.net
127.0.0.22 www.mcafeesecurity.net
127.0.0.22 mcafeesecurity.org
127.0.0.22 www.mcafeesecurity.org
127.0.0.22 mcafeeb2b.com
127.0.0.22 www.mcafeeb2b.com
127.0.0.22 mcafeeb2b.net
127.0.0.22 www.mcafeeb2b.net
127.0.0.22 mcafeeb2b.org
127.0.0.22 www.mcafeeb2b.org
127.0.0.22 nai.com
127.0.0.22 www.nai.com
127.0.0.22 nai.net
127.0.0.22 www.nai.net
127.0.0.22 nai.org
127.0.0.22 www.nai.org
127.0.0.22 vil.nai.com
127.0.0.22 www.vil.nai.com
127.0.0.22 vil.nai.net
127.0.0.22 www.vil.nai.net
127.0.0.22 vil.nai.org
127.0.0.22 www.vil.nai.org
127.0.0.22 grisoft.com
127.0.0.22 www.grisoft.com
127.0.0.22 grisoft.net
127.0.0.22 www.grisoft.net
127.0.0.22 grisoft.org
127.0.0.22 www.grisoft.org
127.0.0.22 kaspersky-labs.com
127.0.0.22 www.kaspersky-labs.com
127.0.0.22 kaspersky-labs.net
127.0.0.22 www.kaspersky-labs.net
127.0.0.22 kaspersky-labs.org
127.0.0.22 www.kaspersky-labs.org
127.0.0.22 kaspersky.com
127.0.0.22 www.kaspersky.com
127.0.0.22 kaspersky.net
127.0.0.22 www.kaspersky.net
127.0.0.22 kaspersky.org
127.0.0.22 www.kaspersky.org
127.0.0.22 downloads1.kaspersky-labs.com
127.0.0.22 www.downloads1.kaspersky-labs.com
127.0.0.22 downloads1.kaspersky-labs.net
127.0.0.22 www.downloads1.kaspersky-labs.net
127.0.0.22 downloads1.kaspersky-labs.org
127.0.0.22 www.downloads1.kaspersky-labs.org
127.0.0.22 downloads2.kaspersky-labs.com
127.0.0.22 www.downloads2.kaspersky-labs.com
127.0.0.22 downloads2.kaspersky-labs.net
127.0.0.22 www.downloads2.kaspersky-labs.net
127.0.0.22 downloads2.kaspersky-labs.org
127.0.0.22 www.downloads2.kaspersky-labs.org
127.0.0.22 downloads3.kaspersky-labs.com
127.0.0.22 www.downloads3.kaspersky-labs.com
127.0.0.22 downloads3.kaspersky-labs.net
127.0.0.22 www.downloads3.kaspersky-labs.net
127.0.0.22 downloads3.kaspersky-labs.org
127.0.0.22 www.downloads3.kaspersky-labs.org
127.0.0.22 downloads4.kaspersky-labs.com
127.0.0.22 www.downloads4.kaspersky-labs.com
127.0.0.22 downloads4.kaspersky-labs.net
127.0.0.22 www.downloads4.kaspersky-labs.net
127.0.0.22 downloads4.kaspersky-labs.org
127.0.0.22 www.downloads4.kaspersky-labs.org
127.0.0.22 download.mcafee.com
127.0.0.22 www.download.mcafee.com
127.0.0.22 download.mcafee.net
127.0.0.22 www.download.mcafee.net
127.0.0.22 download.mcafee.org
127.0.0.22 www.download.mcafee.org
127.0.0.22 norton.com
127.0.0.22 www.norton.com
127.0.0.22 norton.net
127.0.0.22 www.norton.net
127.0.0.22 norton.org
127.0.0.22 www.norton.org
127.0.0.22 symantec.com
127.0.0.22 www.symantec.com
127.0.0.22 symantec.net
127.0.0.22 www.symantec.net
127.0.0.22 symantec.org
127.0.0.22 www.symantec.org
127.0.0.22 liveupdate.symantecliveupdate.com
127.0.0.22 www.liveupdate.symantecliveupdate.com
127.0.0.22 liveupdate.symantecliveupdate.net
127.0.0.22 www.liveupdate.symantecliveupdate.net
127.0.0.22 liveupdate.symantecliveupdate.org
127.0.0.22 www.liveupdate.symantecliveupdate.org
127.0.0.22 liveupdate.symantec.com
127.0.0.22 www.liveupdate.symantec.com
127.0.0.22 liveupdate.symantec.net
127.0.0.22 www.liveupdate.symantec.net
127.0.0.22 liveupdate.symantec.org
127.0.0.22 www.liveupdate.symantec.org
127.0.0.22 update.symantec.com
127.0.0.22 www.update.symantec.com
127.0.0.22 update.symantec.net
127.0.0.22 www.update.symantec.net
127.0.0.22 update.symantec.org
127.0.0.22 www.update.symantec.org
127.0.0.22 securityresponse.symantec.com
127.0.0.22 www.securityresponse.symantec.com
127.0.0.22 securityresponse.symantec.net
127.0.0.22 www.securityresponse.symantec.net
127.0.0.22 securityresponse.symantec.org
127.0.0.22 www.securityresponse.symantec.org
127.0.0.22 sarc.com
127.0.0.22 www.sarc.com
127.0.0.22 sarc.net
127.0.0.22 www.sarc.net
127.0.0.22 sarc.org
127.0.0.22 www.sarc.org
127.0.0.22 vaksin.com
127.0.0.22 www.vaksin.com
127.0.0.22 vaksin.net
127.0.0.22 www.vaksin.net
127.0.0.22 vaksin.org
127.0.0.22 www.vaksin.org
127.0.0.22 forum.vaksin.com
127.0.0.22 www.forum.vaksin.com
127.0.0.22 forum.vaksin.net
127.0.0.22 www.forum.vaksin.net
127.0.0.22 forum.vaksin.org
127.0.0.22 www.forum.vaksin.org
127.0.0.22 norman.com
127.0.0.22 www.norman.com
127.0.0.22 norman.net
127.0.0.22 www.norman.net
127.0.0.22 norman.org
127.0.0.22 www.norman.org
127.0.0.22 trendmicro.com
127.0.0.22 www.trendmicro.com
127.0.0.22 trendmicro.net
127.0.0.22 www.trendmicro.net
127.0.0.22 trendmicro.org
127.0.0.22 www.trendmicro.org
127.0.0.22 trendmicro-europe.com
127.0.0.22 www.trendmicro-europe.com
127.0.0.22 trendmicro-europe.net
127.0.0.22 www.trendmicro-europe.net
127.0.0.22 trendmicro-europe.org
127.0.0.22 www.trendmicro-europe.org
127.0.0.22 ae.trendmicro-europe.com
127.0.0.22 www.ae.trendmicro-europe.com
127.0.0.22 ae.trendmicro-europe.net
127.0.0.22 www.ae.trendmicro-europe.net
127.0.0.22 ae.trendmicro-europe.org
127.0.0.22 www.ae.trendmicro-europe.org
127.0.0.22 it.trendmicro-europe.com
127.0.0.22 www.it.trendmicro-europe.com
127.0.0.22 it.trendmicro-europe.net
127.0.0.22 www.it.trendmicro-europe.net
127.0.0.22 it.trendmicro-europe.org
127.0.0.22 www.it.trendmicro-europe.org
127.0.0.22 secunia.com
127.0.0.22 www.secunia.com
127.0.0.22 secunia.net
127.0.0.22 www.secunia.net
127.0.0.22 secunia.org
127.0.0.22 www.secunia.org
127.0.0.22 winantivirus.com
127.0.0.22 www.winantivirus.com
127.0.0.22 winantivirus.net
127.0.0.22 www.winantivirus.net
127.0.0.22 winantivirus.org
127.0.0.22 www.winantivirus.org
127.0.0.22 pandasoftware.com
127.0.0.22 www.pandasoftware.com
127.0.0.22 pandasoftware.net
127.0.0.22 www.pandasoftware.net
127.0.0.22 pandasoftware.org
127.0.0.22 www.pandasoftware.org
127.0.0.22 esafe.com
127.0.0.22 www.esafe.com
127.0.0.22 esafe.net
127.0.0.22 www.esafe.net
127.0.0.22 esafe.org
127.0.0.22 www.esafe.org
127.0.0.22 f-secure.com
127.0.0.22 www.f-secure.com
127.0.0.22 f-secure.net
127.0.0.22 www.f-secure.net
127.0.0.22 f-secure.org
127.0.0.22 www.f-secure.org
127.0.0.22 europe.f-secure.com
127.0.0.22 www.europe.f-secure.com
127.0.0.22 europe.f-secure.net
127.0.0.22 www.europe.f-secure.net
127.0.0.22 europe.f-secure.org
127.0.0.22 www.europe.f-secure.org
127.0.0.22 bhs.com
127.0.0.22 www.bhs.com
127.0.0.22 bhs.net
127.0.0.22 www.bhs.net
127.0.0.22 bhs.org
127.0.0.22 www.bhs.org
127.0.0.22 datafellows.com
127.0.0.22 www.datafellows.com
127.0.0.22 datafellows.net
127.0.0.22 www.datafellows.net
127.0.0.22 datafellows.org
127.0.0.22 www.datafellows.org
127.0.0.22 cheyenne.com
127.0.0.22 www.cheyenne.com
127.0.0.22 cheyenne.net
127.0.0.22 www.cheyenne.net
127.0.0.22 cheyenne.org
127.0.0.22 www.cheyenne.org
127.0.0.22 ontrack.com
127.0.0.22 www.ontrack.com
127.0.0.22 ontrack.net
127.0.0.22 www.ontrack.net
127.0.0.22 ontrack.org
127.0.0.22 www.ontrack.org
127.0.0.22 sands.com
127.0.0.22 www.sands.com
127.0.0.22 sands.net
127.0.0.22 www.sands.net
127.0.0.22 sands.org
127.0.0.22 www.sands.org
127.0.0.22 sophos.com
127.0.0.22 www.sophos.com
127.0.0.22 sophos.net
127.0.0.22 www.sophos.net
127.0.0.22 sophos.org
127.0.0.22 www.sophos.org
127.0.0.22 icubed.com
127.0.0.22 www.icubed.com
127.0.0.22 icubed.net
127.0.0.22 www.icubed.net
127.0.0.22 icubed.org
127.0.0.22 www.icubed.org
127.0.0.22 perantivirus.com
127.0.0.22 www.perantivirus.com
127.0.0.22 perantivirus.net
127.0.0.22 www.perantivirus.net
127.0.0.22 perantivirus.org
127.0.0.22 www.perantivirus.org
127.0.0.22 castlecops.com
127.0.0.22 www.castlecops.com
127.0.0.22 castlecops.net
127.0.0.22 www.castlecops.net
127.0.0.22 castlecops.org
127.0.0.22 www.castlecops.org
127.0.0.22 virustotal.com
127.0.0.22 www.virustotal.com
127.0.0.22 virustotal.net
127.0.0.22 www.virustotal.net
127.0.0.22 virustotal.org
127.0.0.22 www.virustotal.org
127.0.0.22 free-av.com
127.0.0.22 www.free-av.com
127.0.0.22 free-av.net
127.0.0.22 www.free-av.net
127.0.0.22 free-av.org
127.0.0.22 www.free-av.org
127.0.0.22 antivirus.com
127.0.0.22 www.antivirus.com
127.0.0.22 antivirus.net
127.0.0.22 www.antivirus.net
127.0.0.22 antivirus.org
127.0.0.22 www.antivirus.org
127.0.0.22 anti-virus.com
127.0.0.22 www.anti-virus.com
127.0.0.22 anti-virus.net
127.0.0.22 www.anti-virus.net
127.0.0.22 anti-virus.org
127.0.0.22 www.anti-virus.org
127.0.0.22 ca.com
127.0.0.22 www.ca.com
127.0.0.22 ca.net
127.0.0.22 www.ca.net
127.0.0.22 ca.org
127.0.0.22 www.ca.org
127.0.0.22 fajarweb.com
127.0.0.22 www.fajarweb.com
127.0.0.22 fajarweb.net
127.0.0.22 www.fajarweb.net
127.0.0.22 fajarweb.org
127.0.0.22 www.fajarweb.org
127.0.0.22 jasakom.com
127.0.0.22 www.jasakom.com
127.0.0.22 jasakom.net
127.0.0.22 www.jasakom.net
127.0.0.22 jasakom.org
127.0.0.22 www.jasakom.org
127.0.0.22 backup.grisoft.com
127.0.0.22 www.backup.grisoft.com
127.0.0.22 backup.grisoft.net
127.0.0.22 www.backup.grisoft.net
127.0.0.22 backup.grisoft.org
127.0.0.22 www.backup.grisoft.org
127.0.0.22 infokomputer.com
127.0.0.22 www.infokomputer.com
127.0.0.22 infokomputer.net
127.0.0.22 www.infokomputer.net
127.0.0.22 infokomputer.org
127.0.0.22 www.infokomputer.org
127.0.0.22 playboy.com
127.0.0.22 www.playboy.com
127.0.0.22 playboy.net
127.0.0.22 www.playboy.net
127.0.0.22 playboy.org
127.0.0.22 www.playboy.org
127.0.0.22 sex-mission.com
127.0.0.22 www.sex-mission.com
127.0.0.22 sex-mission.net
127.0.0.22 www.sex-mission.net
127.0.0.22 sex-mission.org
127.0.0.22 www.sex-mission.org
127.0.0.22 pornstargals.com
127.0.0.22 www.pornstargals.com
127.0.0.22 pornstargals.net
127.0.0.22 www.pornstargals.net
127.0.0.22 pornstargals.org
127.0.0.22 www.pornstargals.org
127.0.0.22 kaskus.com
127.0.0.22 www.kaskus.com
127.0.0.22 kaskus.net
127.0.0.22 www.kaskus.net
127.0.0.22 kaskus.org
127.0.0.22 www.kaskus.org
127.0.0.22 17tahun.com
127.0.0.22 www.17tahun.com
127.0.0.22 17tahun.net
127.0.0.22 www.17tahun.net
127.0.0.22 17tahun.org
127.0.0.22 www.17tahun.org
127.0.0.22 padinet.com
127.0.0.22 www.padinet.com
127.0.0.22 padinet.net
127.0.0.22 www.padinet.net
127.0.0.22 padinet.org
127.0.0.22 www.padinet.org
127.0.0.22 jeruk.padinet.com
127.0.0.22 www.jeruk.padinet.com
127.0.0.22 jeruk.padinet.net
127.0.0.22 www.jeruk.padinet.net
127.0.0.22 jeruk.padinet.org
127.0.0.22 www.jeruk.padinet.org
127.0.0.22 compactbyte.com
127.0.0.22 www.compactbyte.com
127.0.0.22 compactbyte.net
127.0.0.22 www.compactbyte.net
127.0.0.22 compactbyte.org
127.0.0.22 www.compactbyte.org
127.0.0.22 blog.compactbyte.com
127.0.0.22 www.blog.compactbyte.com
127.0.0.22 blog.compactbyte.net
127.0.0.22 www.blog.compactbyte.net
127.0.0.22 blog.compactbyte.org
127.0.0.22 www.blog.compactbyte.org
127.0.0.22 blogs.compactbyte.com
127.0.0.22 www.blogs.compactbyte.com
127.0.0.22 blogs.compactbyte.net
127.0.0.22 www.blogs.compactbyte.net
127.0.0.22 blogs.compactbyte.org
127.0.0.22 www.blogs.compactbyte.org


The worm attempts to end processes that have the following names:
ahnlab
aladdin
Alicia
Anti
ash
ashmaisv
aswupdsv
avast
avg
bitdef
ccapps
cclaw
cillin
ctfmon
Dian
diary
foto
hijack
iexplorer
kangen
kill
lexplorer
machine
Mariana
mcaf
mcv
movzx
mspatch
nipsvc
njeeves
nod32
nopdb
nvcoas
opscan
panda
peid
poproxy
remove
riyani
services.com
siti
sstray
sysinter
syslove
systray
trend
tskmgr
untukmu
update
virus
vptray
washer
wscript
xpshare
zlh

The worm attempts to end applications that have the following window titles:
task manager
baca bro !!!
registry
command prompt
system configuration
group policy
cmd.exe
computer management
scheduled task
killbox
hijack
SYSINTERNAL
PROCESS EXP
REMOVER
CLEANER
anti
washer
ertanto
BROWNIES
movzx
killer
pcmedia
pc-media
rontok
rontox
robknot
commander
windows script
norman
norton
symantec
cillin
trendmicro
bitdef
kaspersky
avg
avira
virus
trojan
worm
mcafee
b.e
folder option
wintask
alwil
sex
porn
naked
cewe
bugil
telanjang
nod32
task view
peid
ahnlab

The worm deletes the following registry subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysRia
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\brl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ccapp
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ccapp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysDiaz
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MsPatch
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Adie Strio X
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Adie Strio X
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Adie Suka Kamu
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SysYuni
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\local service
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dkernel
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\DllHost
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\LoadServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Sys_Romantic-Devil.R
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\lExplorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SysRia
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\iExplorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dkernel.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\CCAPPS
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\local service
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\iExplorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\LoadService
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SymRun
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\LoadServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OSA
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SymRun
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Pluto
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\dkernel.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus-3444
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus-3813PXEM
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DllHost
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus-3444Admc
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Security
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Sys_Romantic-Devil.R
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\LoadService
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Tok-Cirrhatus-3444Admc
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MsPatch
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Bron-Spizaetus-3813PXEM
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysYuni
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CCAPPS
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Security
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Pluto
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\dkernel
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SysDiaz
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Adie Suka Kamu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\OSA
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\lExplorer

The worm gathers email addresses from files with the following extensions on all local drives from C to Y:
.BAT
.PIF
.COM
.SCR
.EXE
.PPT
.XLS
.DOC
.CFM
.PHP
.ASP
.WAB
.EML
.CSV
.HTML
.HTM
.TXT

The worm does not send itself to email addresses that contain any of the following strings in the domain name:
BILLING@
INFO@
CONTOH
EXAMPLE
SMTP
XXX
TEST
NETWORK
SOURCE
PROGRAM
WWW
ASDF
SOME
YOUR
BLAH
SPAM
SOFT
PANDA
NORMAN
NORTON
ASSOCIATE
SYMANTEC
SECURITY
CILLIN
GRISOFT
AVG
LINUX
CRACK
HACK
VIRUS
MICROSOFT
MASTER
SUPPORT
SECURE
UPDATE
DEVELOP
VAKSIN
SATU
EMAILKU
BOLEH
GAUL
ASTAGA
.WEB.ID
.AC.ID
.OR.ID
.NET.ID
.SCH.ID
.MIL.ID
.GO.ID
.CO.ID
INDO
TELKOM
PLASA

The worm may append the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers:
ns1.
mail.
smtp.

The worm then uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:

From:
Spoofed

Subject:
One of the following:
My Best Photo
Fotoku yg Paling Cantik

Message:
One of the following:
Hi,
I want to share my photo with you.
Wishing you all the best.
Regards,

Hi,
Aku lg iseng aja pengen kirim foto ke kamu.
Jangan lupain aku ya !.
Thanks,

Attachment:
Photo.zip