1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: W32 Rontokbro Activity 7

System Infected: W32 Rontokbro Activity 7

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects W32.Rontokbro communicating and requesting information from a controlling server.

Additional Information

When W32.Rontokbro@mm is executed, it performs the following actions:

1. Copies itself as the following files:

* C:\Windows\PIF\CVT.exe
* %UserProfile%\APPDATA\IDTemplate.exe
* %UserProfile%\APPDATA\services.exe
* %UserProfile%\APPDATA\lsass.exe
* %UserProfile%\APPDATA\inetinfo.exe
* %UserProfile%\APPDATA\csrss.exe
* %UserProfile%\APPDATA\winlogon.exe
* %UserProfile%\Programs\Startup\Empty.pif
* %UserProfile%\Templates\A.kotnorB.com
* %System%\3D Animation.scr

Note:
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

2. Creates the folder:

%UserProfile%\Local Settings\Application Data\Bron.tok-24

3. Overwrites C:\Autoexec.bat with the following text:

"pause"

4. Adds the value:

"Tok-Cirrhatus" = "%UserProfile%\APPDATA\IDTemplate.exe"

to the registry subkey:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.
5. Adds the value:

"Bron-Spizaetus" = "C:\WINDOWS\PIF\CVT.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.

6. Modifies the value:

"DisableRegistryTools" = "1"
"DisableCMD" = "2"

in the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\System

7. Modifies the value:

"NoFolderOptions" = "1"

in the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer\

8. Adds a task to the Windows scheduler to execute the following file at 5:08 PM every day:

%UserProfile%\Templates\A.kotnorB.com

13. May append the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers:

* smtp.
* mail.
* ns1.

14. Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:

From: [SPOOFED]

Subject: [BLANK]

Message:
BRONTOK.A [ By: H[REMOVED]Community ]
-- Hentikan kebobrokan di negeri ini --
1. Adili Koruptor, Penyelundup, Tukang Suap, Penjudi, & Bandar NARKOBA
( Send to "NUSAKAMBANGAN")
2. Stop Free Sex, Absorsi, & Prostitusi
3. Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar.
4. SAY NO TO DRUGS !!!
-- KIAMAT SUDAH DEKAT --
Terinspirasi oleh: Elang Brontok (Spizaetus Cirrhatus) yang hampir punah[ By: H[REMOVED]unity --

Attachment:

Kangen.exe

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows XP

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube