Beruflich Dokumente
Kultur Dokumente
Navigation
2. Content
3. Sidebar
4. Footer
Navigation
Utility Navigation
Search
Contact Us About McAfee
Global Sites
• Australia - English
• Brazil - Português
• Canada - English
• Canada - Français
• China - 简体中文 (Simplified)
• Czech - Čeština
• Danmark - Dansk
• Deutschland - Deutsch
• France - Français
• India - English
• Italia - Italiano
• Japan - 日本語 (Japanese)
• Korea - 한국어
• Malaysia - English
• México - Español
• Nederland - Nederlands
• New Zealand - English
• Norge - Norsk
• Philippines - English
• Polska - Polski
• Portugal - Portuguese
• Scandinavia - English
• Singapore - English
• Spain - Español
• Sverige - Svensk
• South Africa - English
• Suomi - suomi
• Taiwan - 繁體中文 (Traditional)
• Türkiye - Türkçe
• United Kingdom - English
• United States - English
Section Navigation
• Products
• Virus Information
• Support
• Downloads
Personal Navigation
• My Account
•
• Log In
Page Navigation
• Virus Information
o Virus Removal Tools
o Virus Calendar
o Virus Hoaxes
o Virus Glossary
o Regional Virus Info
Risk Assessment
- Home Users: Low
- Corporate Users: Low
Date Discovered: 10/3/2005
Date Added: 10/3/2005
Origin: Unknown
Length: N/A
Type: Virus
SubType: Email Generic
DAT Required: 4595
Virus Characteristics
W32/Rontokbro.gen is a mass mailing worm which attempts to send a copy of itself to
email addresses harvested from the computer.
The characteristics of this worm, with regard to file names, folders created, port numbers
used, etc, will differ from one variant to another. Hence, this is a general description.
1. It modifies various windows explorer settings. This includes the removal of the
“Folder Options” item from all Windows Explorer menus.
• Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion
\Policies\Explorer\
Data: NoFolderOptions = 1
• This is so Win9x & WinME systems will pause at each Windows start up
3. It drops a copy of itself along with other files into the following folders:
• %System%\Administrator's Setting.scr
• %UserProfile%\Appdata\BronFoldNetDomList.txt
• %UserProfile%\Appdata\csrss.exe
• %UserProfile%\Appdata\inetinfo.exe
• %UserProfile%\Appdata\Kosong.Bron.Tok.txt
• %UserProfile%\Appdata\ListHost8.txt
• %UserProfile%\Appdata\lsass.exe
• %UserProfile%\Appdata\NetMailTmp.bin
• %UserProfile%\Appdata\services.exe
• %UserProfile%\Appdata\smss.exe
• %UserProfile%\Appdata\Update.8.Bron.Tok.bin
• %UserProfile%\Appdata\Update.AN.8.A.Bron.Tok
• %UserProfile%\Appdata\winlogon.exe
• %UserProfile%\ Start Menu\Programs\Startup\Empty.pif
• %UserProfile%\Templates\WowTumpeh.com
Note:
• HKEY_Current_User\Software\Microsoft\Windows\
CurrentVersion\Run "Tok-Cirrhatus-3444"
Data: "C:\Documents and Settings\Administrator\Local Settings
\Application Data\br7911on.exe"
• HKEY_Local_Machine\Software\Microsoft\Windows\
CurrentVersion\Run "Bron-Spizaetus"
Data: "C:\Windows\ShellNew\RakyatKelaparan.exe"
5. It modifies the HOSTS file to re-direct security related websites to 127.4.7.4 address.
• mcafee.com
• nai.com
• kaspersky.com
• grisoft.com
• norton.com
• symantec.com
• norman.com
• trendmicro.com
• sophos.com
• perantivirus.com
• virusalert.nl
• antivirus.pagina.nl
• virustotal.com
Redirecting network traffic for these URLs to the Local-host leads to the user not being
able to browse the WebPages belonging to these domains.
6. When it detects a window whose title contains the string “exe” the worm reboots the
machine.
7. It scans for open Network Shares and copies itself into the folders found. The file
name becomes the name of the folder into which it was copied.
8. It adds a task to the “Windows Task Scheduler” to execute itself at 5:08 PM every
day.
Miscellaneous Information:
• Inability to access the security related websites listed above due to the
modifications made to the HOSTS file
• Desktop firewall program alert that a foreign program is trying to access the
internet
• Presence of the files/Registry keys mentioned above
• Inability to run Regedit.exe
• Inability to change the Windows folder options
Method of Infection
This worm, using its built-in SMTP engine, sends itself as an attachment to email
addresses harvested from the infected machine.
Subject:
Body:
Salam Hangat,
Bagi Anda yang mengidolakan artis Dian Sastro atau Tora Sudiro,
maka Anda akan segera
terpuaskan, karena sebuah film komedi romantis terbaru mereka (judul
film masih dirahasiakan)
telah siap beredar.
Untuk menambah koleksi foto idola Anda, berikut adalah salah satu
potongan gambar film
Terima kasih,
A combination of the latest DATs and the Engine will be able to detect and remove this
threat. AVERT recommends users not to trust seemingly familiar or safe file icons,
particularly when received via P2P clients, IRC, email or other media where users can
share files.
Aliases
Advertisement
Sidebar
Current Threats
Virus Search
Related Links
We also recommend...
McAfee VirusScan Plus Keep your PC safe. Automatically checks for virus updates, so
your protection stays up-to-date. More
PC Security Report
Click "Next" to test your PC and view your July 2007 Security Report. Next
Footer
Footer Navigation
• About McAfee
• Contact Us
• Customer Service
• Web Site Feedback
• Privacy Policy
• Anti-Piracy Policy
© Copyright 2003-2007 McAfee, Inc. All Rights Reserved.