McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Rontokbro@mm – Symantec

• W32.Rungbu.C (Symantec)

• W32/Brontok-N – Sophos

• Win32/Brontokbro.A.A – Eset

• Win32/Robknot!Variant!Worm – CA eTrust

• Worm.Win32.Brontok.a – Kaspersky

Characteristics

W32/Rontokbro.gen is a mass mailing worm which attempts to send a copy of  itself to email addresses harvested from the computer.

The characteristics of this worm, with regard to file names, folders created, port numbers used, etc, will differ from one variant to another. Hence, this is a general description.

When executed, the following actions are performed by this worm:

1. It modifies various windows explorer settings. This includes the removal of the “Folder Options” item from all Windows Explorer menus.

• Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion
  \Policies\Explorer\
  Data: NoFolderOptions = 1

2. It overwrites the file “C:\autoexec.bat” to include the line "pause".

• This is so Win9x & WinME systems will pause at each Windows start up

3. It drops a copy of itself along with other files into the following folders:

• %System%\Administrator's Setting.scr
• %UserProfile%\Appdata\BronFoldNetDomList.txt
• %UserProfile%\Appdata\csrss.exe
• %UserProfile%\Appdata\inetinfo.exe
• %UserProfile%\Appdata\Kosong.Bron.Tok.txt
• %UserProfile%\Appdata\ListHost8.txt
• %UserProfile%\Appdata\lsass.exe
• %UserProfile%\Appdata\NetMailTmp.bin
• %UserProfile%\Appdata\services.exe
• %UserProfile%\Appdata\smss.exe
• %UserProfile%\Appdata\Update.8.Bron.Tok.bin
• %UserProfile%\Appdata\Update.AN.8.A.Bron.Tok
• %UserProfile%\Appdata\winlogon.exe
• %UserProfile%\ Start Menu\Programs\Startup\Empty.pif
• %UserProfile%\Templates\WowTumpeh.com

Note:

%UserProfile% is a variable location and refers to the user's profile folder.
%System% is a variable location and refers to the windows system directory.

4. It modifies the following registry entries to run at system startup:

• HKEY_Current_User\Software\Microsoft\Windows\
  CurrentVersion\Run "Tok-Cirrhatus-3444"
  Data: "C:\Documents and Settings\Administrator\Local Settings
  \Application Data\br7911on.exe"
• HKEY_Local_Machine\Software\Microsoft\Windows\
  CurrentVersion\Run "Bron-Spizaetus"
  Data: "C:\Windows\ShellNew\RakyatKelaparan.exe"

5. It modifies the HOSTS file to re-direct security related websites to 127.4.7.4 address.

The following is a brief list of redirected websites:

• mcafee.com
• nai.com
• kaspersky.com
• grisoft.com
• norton.com
• symantec.com
• norman.com
• trendmicro.com
• sophos.com
• perantivirus.com
• virusalert.nl
• antivirus.pagina.nl
• virustotal.com

Redirecting network traffic for these URLs to the Local-host leads to the user not being able to browse the WebPages belonging to these domains.

6. When it detects a window whose title contains the string “exe” the worm reboots the machine.

7.  It scans for open Network Shares and copies itself into the folders found. The file name becomes the name of the folder into which it was copied.

8.   It adds a task to the “Windows Task Scheduler” to execute itself at 5:08 PM every day.

Miscellaneous Information:

• This worm is written in Visual Basic
• It uses the windows “Folder Icon” as its icon. This is to trick users into opening it, effectively executing the worm
• Upon execution, it opens an “Explorer” window in an attempt to hide its process
• In order to make the dropped files harder to find, the files have their attributes changed to hidden/system files
• It disables Registry editing tools
  

Symptoms

• Inability to access the security related websites listed above due to the modifications made to the HOSTS file
• Desktop firewall program alert that a foreign program is trying to access the internet
• Presence of the files/Registry keys mentioned above
• Inability to run Regedit.exe
• Inability to change the Windows folder options

Method of Infection

This worm, using its built-in SMTP engine, sends itself as an attachment to email addresses harvested from the infected machine.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Rontokbro@mm – Symantec

• W32.Rungbu.C (Symantec)

• W32/Brontok-N – Sophos

• Win32/Brontokbro.A.A – Eset

• Win32/Robknot!Variant!Worm – CA eTrust

• Worm.Win32.Brontok.a – Kaspersky

Characteristics

Characteristics -

W32/Rontokbro.gen is a mass mailing worm which attempts to send a copy of  itself to email addresses harvested from the computer.

The characteristics of this worm, with regard to file names, folders created, port numbers used, etc, will differ from one variant to another. Hence, this is a general description.

When executed, the following actions are performed by this worm:

1. It modifies various windows explorer settings. This includes the removal of the “Folder Options” item from all Windows Explorer menus.

• Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion
  \Policies\Explorer\
  Data: NoFolderOptions = 1

2. It overwrites the file “C:\autoexec.bat” to include the line "pause".

• This is so Win9x & WinME systems will pause at each Windows start up

3. It drops a copy of itself along with other files into the following folders:

• %System%\Administrator's Setting.scr
• %UserProfile%\Appdata\BronFoldNetDomList.txt
• %UserProfile%\Appdata\csrss.exe
• %UserProfile%\Appdata\inetinfo.exe
• %UserProfile%\Appdata\Kosong.Bron.Tok.txt
• %UserProfile%\Appdata\ListHost8.txt
• %UserProfile%\Appdata\lsass.exe
• %UserProfile%\Appdata\NetMailTmp.bin
• %UserProfile%\Appdata\services.exe
• %UserProfile%\Appdata\smss.exe
• %UserProfile%\Appdata\Update.8.Bron.Tok.bin
• %UserProfile%\Appdata\Update.AN.8.A.Bron.Tok
• %UserProfile%\Appdata\winlogon.exe
• %UserProfile%\ Start Menu\Programs\Startup\Empty.pif
• %UserProfile%\Templates\WowTumpeh.com

Note:

%UserProfile% is a variable location and refers to the user's profile folder.
%System% is a variable location and refers to the windows system directory.

4. It modifies the following registry entries to run at system startup:

• HKEY_Current_User\Software\Microsoft\Windows\
  CurrentVersion\Run "Tok-Cirrhatus-3444"
  Data: "C:\Documents and Settings\Administrator\Local Settings
  \Application Data\br7911on.exe"
• HKEY_Local_Machine\Software\Microsoft\Windows\
  CurrentVersion\Run "Bron-Spizaetus"
  Data: "C:\Windows\ShellNew\RakyatKelaparan.exe"

5. It modifies the HOSTS file to re-direct security related websites to 127.4.7.4 address.

The following is a brief list of redirected websites:

• mcafee.com
• nai.com
• kaspersky.com
• grisoft.com
• norton.com
• symantec.com
• norman.com
• trendmicro.com
• sophos.com
• perantivirus.com
• virusalert.nl
• antivirus.pagina.nl
• virustotal.com

Redirecting network traffic for these URLs to the Local-host leads to the user not being able to browse the WebPages belonging to these domains.

6. When it detects a window whose title contains the string “exe” the worm reboots the machine.

7.  It scans for open Network Shares and copies itself into the folders found. The file name becomes the name of the folder into which it was copied.

8.   It adds a task to the “Windows Task Scheduler” to execute itself at 5:08 PM every day.

Miscellaneous Information:

• This worm is written in Visual Basic
• It uses the windows “Folder Icon” as its icon. This is to trick users into opening it, effectively executing the worm
• Upon execution, it opens an “Explorer” window in an attempt to hide its process
• In order to make the dropped files harder to find, the files have their attributes changed to hidden/system files
• It disables Registry editing tools
  

Symptoms

Symptoms -

• Inability to access the security related websites listed above due to the modifications made to the HOSTS file
• Desktop firewall program alert that a foreign program is trying to access the internet
• Presence of the files/Registry keys mentioned above
• Inability to run Regedit.exe
• Inability to change the Windows folder options

Method of Infection

Method of Infection -

This worm, using its built-in SMTP engine, sends itself as an attachment to email addresses harvested from the infected machine.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A