Content

W32/Rontokbro.gen@MM

Type
Virus
SubType
Email Generic
Discovery Date
10/03/2005
Length
Minimum DAT
4595 (10/03/2005)
Updated DAT
5663 (07/01/2009)
Minimum Engine
5.1.00
Description Added
10/03/2005
Description Modified
01/08/2007 1:11 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

W32/Rontokbro.gen is a mass mailing worm which attempts to send a copy of  itself to email addresses harvested from the computer.

The characteristics of this worm, with regard to file names, folders created, port numbers used, etc, will differ from one variant to another. Hence, this is a general description.

When executed, the following actions are performed by this worm:

1. It modifies various windows explorer settings. This includes the removal of the “Folder Options” item from all Windows Explorer menus.

  • Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion
    \Policies\Explorer\
    Data: NoFolderOptions = 1

2. It overwrites the file “C:\autoexec.bat” to include the line "pause".

  • This is so Win9x & WinME systems will pause at each Windows start up

3. It drops a copy of itself along with other files into the following folders:

  • %System%\Administrator's Setting.scr
  • %UserProfile%\Appdata\BronFoldNetDomList.txt
  • %UserProfile%\Appdata\csrss.exe
  • %UserProfile%\Appdata\inetinfo.exe
  • %UserProfile%\Appdata\Kosong.Bron.Tok.txt
  • %UserProfile%\Appdata\ListHost8.txt
  • %UserProfile%\Appdata\lsass.exe
  • %UserProfile%\Appdata\NetMailTmp.bin
  • %UserProfile%\Appdata\services.exe
  • %UserProfile%\Appdata\smss.exe
  • %UserProfile%\Appdata\Update.8.Bron.Tok.bin
  • %UserProfile%\Appdata\Update.AN.8.A.Bron.Tok
  • %UserProfile%\Appdata\winlogon.exe
  • %UserProfile%\ Start Menu\Programs\Startup\Empty.pif
  • %UserProfile%\Templates\WowTumpeh.com

Note:

%UserProfile% is a variable location and refers to the user's profile folder.
%System% is a variable location and refers to the windows system directory.

4. It modifies the following registry entries to run at system startup:

  • HKEY_Current_User\Software\Microsoft\Windows\
    CurrentVersion\Run "Tok-Cirrhatus-3444"
    Data: "C:\Documents and Settings\Administrator\Local Settings
    \Application Data\br7911on.exe"
  • HKEY_Local_Machine\Software\Microsoft\Windows\
    CurrentVersion\Run "Bron-Spizaetus"
    Data: "C:\Windows\ShellNew\RakyatKelaparan.exe"

5. It modifies the HOSTS file to re-direct security related websites to 127.4.7.4 address.

The following is a brief list of redirected websites:

  • mcafee.com
  • nai.com
  • kaspersky.com
  • grisoft.com
  • norton.com
  • symantec.com
  • norman.com
  • trendmicro.com
  • sophos.com
  • perantivirus.com
  • virusalert.nl
  • antivirus.pagina.nl
  • virustotal.com

Redirecting network traffic for these URLs to the Local-host leads to the user not being able to browse the WebPages belonging to these domains.

6. When it detects a window whose title contains the string “exe” the worm reboots the machine.

7.  It scans for open Network Shares and copies itself into the folders found. The file name becomes the name of the folder into which it was copied.

8.   It adds a task to the “Windows Task Scheduler” to execute itself at 5:08 PM every day.

Miscellaneous Information:

  • This worm is written in Visual Basic
  • It uses the windows “Folder Icon” as its icon. This is to trick users into opening it, effectively executing the worm
  • Upon execution, it opens an “Explorer” window in an attempt to hide its process
  • In order to make the dropped files harder to find, the files have their attributes changed to hidden/system files
  • It disables Registry editing tools

Symptoms

  • Inability to access the security related websites listed above due to the modifications made to the HOSTS file
  • Desktop firewall program alert that a foreign program is trying to access the internet
  • Presence of the files/Registry keys mentioned above
  • Inability to run Regedit.exe
  • Inability to change the Windows folder options

Method of Infection

This worm, using its built-in SMTP engine, sends itself as an attachment to email addresses harvested from the infected machine.

Subject:

Film Terbaru Dian Satro dan Tora Sudiro

Body:

Salam Hangat,

Bagi Anda yang mengidolakan artis Dian Sastro atau Tora Sudiro, maka Anda akan segera

terpuaskan, karena sebuah film komedi romantis terbaru mereka (judul film masih dirahasiakan)

telah siap beredar.

Untuk menambah koleksi foto idola Anda, berikut adalah salah satu potongan gambar film

ketika mereka beradegan romantis di sebuah danau, (terlampir pada file "Sample Picture.zip").

Menurut sutradaranya, film tersebut akan beredar dua bulan mendatang dan diperkirakan akan

melebihi kesuksesan film-film terdahulu mereka.

Terima kasih,

Attachment: Sample Picture.Zip

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • W32.Rontokbro@mm – Symantec
  • W32.Rungbu.C (Symantec)
  • W32/Brontok-N – Sophos
  • Win32/Brontokbro.A.A – Eset
  • Win32/Robknot!Variant!Worm – CA eTrust
  • Worm.Win32.Brontok.a – Kaspersky

Characteristics

Characteristics -

W32/Rontokbro.gen is a mass mailing worm which attempts to send a copy of  itself to email addresses harvested from the computer.

The characteristics of this worm, with regard to file names, folders created, port numbers used, etc, will differ from one variant to another. Hence, this is a general description.

When executed, the following actions are performed by this worm:

1. It modifies various windows explorer settings. This includes the removal of the “Folder Options” item from all Windows Explorer menus.

  • Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion
    \Policies\Explorer\
    Data: NoFolderOptions = 1

2. It overwrites the file “C:\autoexec.bat” to include the line "pause".

  • This is so Win9x & WinME systems will pause at each Windows start up

3. It drops a copy of itself along with other files into the following folders:

  • %System%\Administrator's Setting.scr
  • %UserProfile%\Appdata\BronFoldNetDomList.txt
  • %UserProfile%\Appdata\csrss.exe
  • %UserProfile%\Appdata\inetinfo.exe
  • %UserProfile%\Appdata\Kosong.Bron.Tok.txt
  • %UserProfile%\Appdata\ListHost8.txt
  • %UserProfile%\Appdata\lsass.exe
  • %UserProfile%\Appdata\NetMailTmp.bin
  • %UserProfile%\Appdata\services.exe
  • %UserProfile%\Appdata\smss.exe
  • %UserProfile%\Appdata\Update.8.Bron.Tok.bin
  • %UserProfile%\Appdata\Update.AN.8.A.Bron.Tok
  • %UserProfile%\Appdata\winlogon.exe
  • %UserProfile%\ Start Menu\Programs\Startup\Empty.pif
  • %UserProfile%\Templates\WowTumpeh.com

Note:

%UserProfile% is a variable location and refers to the user's profile folder.
%System% is a variable location and refers to the windows system directory.

4. It modifies the following registry entries to run at system startup:

  • HKEY_Current_User\Software\Microsoft\Windows\
    CurrentVersion\Run "Tok-Cirrhatus-3444"
    Data: "C:\Documents and Settings\Administrator\Local Settings
    \Application Data\br7911on.exe"
  • HKEY_Local_Machine\Software\Microsoft\Windows\
    CurrentVersion\Run "Bron-Spizaetus"
    Data: "C:\Windows\ShellNew\RakyatKelaparan.exe"

5. It modifies the HOSTS file to re-direct security related websites to 127.4.7.4 address.

The following is a brief list of redirected websites:

  • mcafee.com
  • nai.com
  • kaspersky.com
  • grisoft.com
  • norton.com
  • symantec.com
  • norman.com
  • trendmicro.com
  • sophos.com
  • perantivirus.com
  • virusalert.nl
  • antivirus.pagina.nl
  • virustotal.com

Redirecting network traffic for these URLs to the Local-host leads to the user not being able to browse the WebPages belonging to these domains.

6. When it detects a window whose title contains the string “exe” the worm reboots the machine.

7.  It scans for open Network Shares and copies itself into the folders found. The file name becomes the name of the folder into which it was copied.

8.   It adds a task to the “Windows Task Scheduler” to execute itself at 5:08 PM every day.

Miscellaneous Information:

  • This worm is written in Visual Basic
  • It uses the windows “Folder Icon” as its icon. This is to trick users into opening it, effectively executing the worm
  • Upon execution, it opens an “Explorer” window in an attempt to hide its process
  • In order to make the dropped files harder to find, the files have their attributes changed to hidden/system files
  • It disables Registry editing tools

Symptoms

Symptoms -

  • Inability to access the security related websites listed above due to the modifications made to the HOSTS file
  • Desktop firewall program alert that a foreign program is trying to access the internet
  • Presence of the files/Registry keys mentioned above
  • Inability to run Regedit.exe
  • Inability to change the Windows folder options

Method of Infection

Method of Infection -

This worm, using its built-in SMTP engine, sends itself as an attachment to email addresses harvested from the infected machine.

Subject:

Film Terbaru Dian Satro dan Tora Sudiro

Body:

Salam Hangat,

Bagi Anda yang mengidolakan artis Dian Sastro atau Tora Sudiro, maka Anda akan segera

terpuaskan, karena sebuah film komedi romantis terbaru mereka (judul film masih dirahasiakan)

telah siap beredar.

Untuk menambah koleksi foto idola Anda, berikut adalah salah satu potongan gambar film

ketika mereka beradegan romantis di sebuah danau, (terlampir pada file "Sample Picture.zip").

Menurut sutradaranya, film tersebut akan beredar dua bulan mendatang dan diperkirakan akan

melebihi kesuksesan film-film terdahulu mereka.

Terima kasih,

Attachment: Sample Picture.Zip

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A