AlphaOne Technology Support Forums
Welcome, Guest. Please login or register.
December 03, 2008, 03:02:42 PM

Login with username, password and session length
Search:     Advanced search
1733 Posts in 827 Topics by 4763 Members
Latest Member: WIassipsyKimb
* Home Help Search Login Register
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: W32.Rontokbro.B@mm 0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: W32.Rontokbro.B@mm  (Read 5513 times)
TJ
Tech Team
Hero Member
********
Offline Offline

Posts: 136



View Profile
W32.Rontokbro.B@mm
« on: October 06, 2005, 01:42:19 AM »
W32.Rontokbro.B@mm is a mass-mailing worm that causes system instability.

When W32.Rontokbro.B@mm is executed, it performs the following actions:

   1. Copies itself as the following files:

          * %UserProfile%\Local Settings\Application Data\csrss.exe
          * %UserProfile%\Local Settings\Application Data\inetinfo.exe
          * %UserProfile%\Local Settings\Application Data\lsass.exe
          * %UserProfile%\Local Settings\Application Data\services.exe
          * %UserProfile%\Local Settings\Application Data\smss.exe
          * %UserProfile%\Local Settings\Application Data\winlogon.exe
          * %UserProfile%\Start Menu\Programs\Startup\Empty.pif
          * %UserProfile%\Templates\A.kotnorB.com
          * %Windir%\inf\norBtok.exe
          * %System%\3D Animation.scr

            Note:
          * %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
          * %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
          * %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

   2. Creates the directory:

      %UserProfile%\Local Settings\Application Data\Bron.tok-3-3

   3. Overwrites C:\Autoexec.bat with the following text:

      "pause"

   4. Adds the value:

      "Bron-Spizaetus" = "%Windir%\INF\norBtok.exe"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that it runs every time Windows starts.

   5. Adds the value:

      "NoFolderOptions" = "1"

      to the registry subkey:

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
      Policies\Explorer

   6. Adds the values:

      "DisableRegistryTools" = "1"
      "DisableCMD" = "0"

      to the registry subkey:

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
      Policies\System

   7. Adds the value:

      "Tok-Cirrhatus" = "%UserProfile%\Local Settings\Application Data\smss.exe"

      to the registry subkey:

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

   8. Adds a task to the Windows scheduler to execute the following file at 5:08 PM every day:

      %UserProfile%\Templates\A.kotnorB.com

   9. Restarts the computer when it detects a window whose title contains one of the following strings:

          * ..
          * .@
          * @.
          * .ASP
          * .EXE
          * .HTM
          * .JS
          * .PHP
          * ADMIN
          * ADOBE
          * AHNLAB
          * ALADDIN
          * ALERT
          * ALWIL
          * ANTIGEN
          * APACHE
          * APPLICATION
          * ARCHIEVE
          * ASDF
          * ASSOCIATE
          * AVAST
          * AVG
          * AVIRA
          * BILLING@
          * BLACK
          * BLAH
          * BLEEP
          * BUILDER
          * CANON
          * CENTER
          * CILLIN
          * CISCO
          * CMD.
          * CNET
          * COMMAND
          * COMMAND PROMPT
          * CONTOH
          * CONTROL
          * CRACK
          * DARK
          * DATA
          * DATABASE
          * DEMO
          * DETIK
          * DEVELOP
          * DOMAIN
          * DOWNLOAD
          * ESAFE
          * ESAVE
          * ESCAN
          * EXAMPLE
          * FEEDBACK
          * FIREWALL
          * FOO@
          * FUCK
          * FUJITSU
          * GATEWAY
          * GOOGLE
          * GRISOFT
          * GROUP
          * HACK
          * HAURI
          * HIDDEN
          * HP.
          * IBM.
          * INFO@
          * INTEL.
          * KOMPUTER
          * LINUX
          * LOG OFF WINDOWS
          * LOTUS
          * MACRO
          * MALWARE
          * MASTER
          * MCAFEE
          * MICRO
          * MICROSOFT
          * MOZILLA
          * MYSQL
          * NETSCAPE
          * NETWORK
          * NEWS
          * NOD32
          * NOKIA
          * NORMAN
          * NORTON
          * NOVELL
          * NVIDIA
          * OPERA
          * OVERTURE
          * PANDA
          * PATCH
          * POSTGRE
          * PROGRAM
          * PROLAND
          * PROMPT
          * PROTECT
          * PROXY
          * RECIPIENT
          * REGISTRY
          * RELAY
          * RESPONSE
          * ROBOT
          * SCAN
          * SCRIPT HOST
          * SEARCH R
          * SECURE
          * SECURITY
          * SEKUR
          * SENIOR
          * SERVER
          * SERVICE
          * SHUT DOWN
          * SIEMENS
          * SMTP
          * SOFT
          * SOME
          * SOPHOS
          * SOURCE
          * SPAM
          * SPERSKY
          * SUN.
          * SUPPORT
          * SYBARI
          * SYMANTEC
          * SYSTEM CONFIGURATION
          * TEST
          * TREND
          * TRUST
          * UPDATE
          * UTILITY
          * VAKSIN
          * VIRUS
          * WINDOWS SECURITY.VBS
          * W3.
          * WWW
          * XEROX
          * XXX
          * YOUR
          * ZDNET
          * ZEND
          * ZOMBIE

  10. May also launch a ping flood attack on the following sites:

          * israel.gov.il
          * playboy.com

  11. Gathers email addresses from files with the following extensions on all local drives from C to Y:

          * ASP
          * CFM
          * CSV
          * DOC
          * EML
          * HTML
          * PHP
          * TXT
          * WAB

  12. Does not send itself to email addresses that contain any of the following strings in the domain name:

          * PLASA
          * TELKOM
          * INDO
          * .CO.ID
          * .GO.ID
          * .MIL.ID
          * .SCH.ID
          * .NET.ID
          * .OR.ID
          * .AC.ID
          * .WEB.ID
          * .WAR.NET.ID
          * ASTAGA
          * GAUL
          * BOLEH
          * EMAILKU
          * SATU

  13. May append the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers:

          * smtp.
          * mail.
          * ns1.

  14. Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:

      From: [SPOOFED]

      Subject: [BLANK]

      Message:
      BRONTOK.A  [ By: H[REMOVED]M Community ]
      -- Hentikan kebobrokan di negeri ini --
      1. Adili Koruptor, Penyelundup, Tukang Suap, Penjudi, & Bandar NARKOBA
      ( Send to "NUSAKAMBANGAN")
      2. Stop Free Sex, Absorsi, & Prostitusi
      3. Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar.
      4. SAY NO TO DRUGS !!!
      -- KIAMAT SUDAH DEKAT --
      Terinspirasi oleh: Elang Brontok (Spizaetus Cirrhatus) yang hampir punah[ By: H[REMOVED]unity --

      Attachment:
      Kangen.exe

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/w32.rontokbro.b@mm.html
Logged
Pages: [1] Go Up Print 
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: W32.Rontokbro.B@mm « previous next »
Jump to:  

Powered by MySQL Powered by PHP AlphaOne Technology Support Forums | Powered by SMF 1.0.7.
© 2001-2005, Lewis Media. All Rights Reserved. 		Valid XHTML 1.0! Valid CSS!