1.

Navigation
2. Content
3. Sidebar
4. Footer

Navigation
Utility Navigation

Search
Contact Us About McAfee

Global Sites

• Australia - English
• Brazil - Português
• Canada - English
• Canada - Français
• China - 简体中文 (Simplified)
• Czech - Čeština
• Danmark - Dansk
• Deutschland - Deutsch
• France - Français
• India - English
• Italia - Italiano
• Japan - 日本語 (Japanese)
• Korea - 한국어
• Malaysia - English
• México - Español
• Nederland - Nederlands
• New Zealand - English
• Norge - Norsk
• Philippines - English
• Polska - Polski
• Portugal - Portuguese
• Scandinavia - English
• Singapore - English
• Spain - Español
• Sverige - Svensk
• South Africa - English
• Suomi - suomi
• Taiwan - 繁體中文 (Traditional)
• Türkiye - Türkçe
 • United Kingdom - English
• United States - English

• Home & Home Office

• Small & Medium Business
• Enterprise
• Partners

Section Navigation

• Products
• Virus Information
• Support
• Downloads

Personal Navigation

• My Account
•
• Log In

Page Navigation

• Virus Information
o Virus Removal Tools
o Virus Calendar
o Virus Hoaxes
o Virus Glossary
o Regional Virus Info

Virus Profile: W32/Rontokbro.gen@MM

Risk Assessment
- Home Users: Low
- Corporate Users: Low
Date Discovered: 10/3/2005
Date Added: 10/3/2005
Origin: Unknown
Length: N/A
Type: Virus
SubType: Email Generic
DAT Required: 4595

Virus Characteristics
W32/Rontokbro.gen is a mass mailing worm which attempts to send a copy of itself to
email addresses harvested from the computer.

The characteristics of this worm, with regard to file names, folders created, port numbers
used, etc, will differ from one variant to another. Hence, this is a general description.

When executed, the following actions are performed by this worm:

1. It modifies various windows explorer settings. This includes the removal of the
“Folder Options” item from all Windows Explorer menus.

• Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion
\Policies\Explorer\
Data: NoFolderOptions = 1

2. It overwrites the file “C:\autoexec.bat” to include the line "pause".

• This is so Win9x & WinME systems will pause at each Windows start up

3. It drops a copy of itself along with other files into the following folders:

• %System%\Administrator's Setting.scr
• %UserProfile%\Appdata\BronFoldNetDomList.txt
• %UserProfile%\Appdata\csrss.exe
• %UserProfile%\Appdata\inetinfo.exe
• %UserProfile%\Appdata\Kosong.Bron.Tok.txt
• %UserProfile%\Appdata\ListHost8.txt
• %UserProfile%\Appdata\lsass.exe
• %UserProfile%\Appdata\NetMailTmp.bin
• %UserProfile%\Appdata\services.exe
• %UserProfile%\Appdata\smss.exe
• %UserProfile%\Appdata\Update.8.Bron.Tok.bin
• %UserProfile%\Appdata\Update.AN.8.A.Bron.Tok
• %UserProfile%\Appdata\winlogon.exe
• %UserProfile%\ Start Menu\Programs\Startup\Empty.pif
• %UserProfile%\Templates\WowTumpeh.com

Note:

%UserProfile% is a variable location and refers to the user's profile folder.

%System% is a variable location and refers to the windows system directory.

4. It modifies the following registry entries to run at system startup:

• HKEY_Current_User\Software\Microsoft\Windows\
CurrentVersion\Run "Tok-Cirrhatus-3444"
 Data: "C:\Documents and Settings\Administrator\Local Settings
\Application Data\br7911on.exe"
• HKEY_Local_Machine\Software\Microsoft\Windows\
CurrentVersion\Run "Bron-Spizaetus"
Data: "C:\Windows\ShellNew\RakyatKelaparan.exe"

5. It modifies the HOSTS file to re-direct security related websites to 127.4.7.4 address.

The following is a brief list of redirected websites:

• mcafee.com
• nai.com
• kaspersky.com
• grisoft.com
• norton.com
• symantec.com
• norman.com
• trendmicro.com
• sophos.com
• perantivirus.com
• virusalert.nl
• antivirus.pagina.nl
• virustotal.com

Redirecting network traffic for these URLs to the Local-host leads to the user not being
able to browse the WebPages belonging to these domains.

6. When it detects a window whose title contains the string “exe” the worm reboots the
machine.

7. It scans for open Network Shares and copies itself into the folders found. The file
name becomes the name of the folder into which it was copied.

8. It adds a task to the “Windows Task Scheduler” to execute itself at 5:08 PM every
day.

Miscellaneous Information:

• This worm is written in Visual Basic

• It uses the windows “Folder Icon” as its icon. This is to trick users into opening it,
effectively executing the worm
• Upon execution, it opens an “Explorer” window in an attempt to hide its process
• In order to make the dropped files harder to find, the files have their attributes
changed to hidden/system files
• It disables Registry editing tools
Indications of Infection

• Inability to access the security related websites listed above due to the
modifications made to the HOSTS file
• Desktop firewall program alert that a foreign program is trying to access the
internet
• Presence of the files/Registry keys mentioned above
• Inability to run Regedit.exe
• Inability to change the Windows folder options

Method of Infection

This worm, using its built-in SMTP engine, sends itself as an attachment to email
addresses harvested from the infected machine.

Subject:

Film Terbaru Dian Satro dan Tora Sudiro

Body:

Salam Hangat,

Bagi Anda yang mengidolakan artis Dian Sastro atau Tora Sudiro,
maka Anda akan segera
terpuaskan, karena sebuah film komedi romantis terbaru mereka (judul
film masih dirahasiakan)
telah siap beredar.

Untuk menambah koleksi foto idola Anda, berikut adalah salah satu
potongan gambar film

ketika mereka beradegan romantis di sebuah danau, (terlampir pada file

"Sample Picture.zip").

Menurut sutradaranya, film tersebut akan beredar dua bulan mendatang

dan diperkirakan akan

melebihi kesuksesan film-film terdahulu mereka.

Terima kasih,

Attachment: Sample Picture.Zip

Removal Instructions

A combination of the latest DATs and the Engine will be able to detect and remove this
threat. AVERT recommends users not to trust seemingly familiar or safe file icons,
particularly when received via P2P clients, IRC, email or other media where users can
share files.

Additional Windows ME/XP removal considerations

Aliases

W32.Rontokbro@mm – Symantec, W32.Rungbu.C (Symantec), W32/Brontok-N –

Sophos, Win32/Brontokbro.A.A – Eset, Win32/Robknot!Variant!Worm – CA eTrust,
Worm.Win32.Brontok.a – Kaspersky

Advertisement

Sidebar
Current Threats

• Virus AdvisoryW32/Sober@MM!M681 is a Low-Profiled virus.

Add to Your Site

Virus Search

Sign up for Free Virus News:

Related Links

• Online Guide for Parents

• Virus Removal Services
• Anti-Virus Tips

We also recommend...

McAfee VirusScan Plus Keep your PC safe. Automatically checks for virus updates, so
your protection stays up-to-date. More
 PC Security Report

July 2007: PC Security Report

Click "Next" to test your PC and view your July 2007 Security Report. Next

Footer
Footer Navigation

• About McAfee
• Contact Us
• Customer Service
• Web Site Feedback
• Privacy Policy
• Anti-Piracy Policy
© Copyright 2003-2007 McAfee, Inc. All Rights Reserved.