AlphaOne Technology Support Forums
Welcome, Guest. Please login or register.
December 03, 2008, 03:46:16 PM

Login with username, password and session length
Search:     Advanced search
1733 Posts in 827 Topics by 4764 Members
Latest Member: AAjeollabam
* Home Help Search Login Register
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: W32.Rontokbro@mm 0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: W32.Rontokbro@mm  (Read 2292 times)
TJ
Tech Team
Hero Member
********
Offline Offline

Posts: 136



View Profile
W32.Rontokbro@mm
« on: September 26, 2005, 12:48:52 PM »
W32.Rontokbro@mm is a mass-mailing worm that causes system instability.

When W32.Rontokbro@mm is executed, it performs the following actions:

   1. Copies itself as the following files:

          * C:\Windows\PIF\CVT.exe
          * %UserProfile%\APPDATA\IDTemplate.exe
          * %UserProfile%\APPDATA\services.exe
          * %UserProfile%\APPDATA\lsass.exe
          * %UserProfile%\APPDATA\inetinfo.exe
          * %UserProfile%\APPDATA\csrss.exe
          * %UserProfile%\Programs\Startup\Empty.pif
          * %UserProfile%\Templates\A.kotnorB.com
          * %System%\3D Animation.scr

            Note:
          * %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
          * %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

   2. Creates the folder:

      %UserProfile%\Local Settings\Application Data\Bron.tok-24

   3. Overwrites C:\Autoexec.bat with the following text:

      "pause"

   4. Adds the value:

      "Bron-Spizaetus" = "C:\WINDOWS\PIF\CVT.exe"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that it runs every time Windows starts.

   5. Modifies the value:

      "DisableRegistryTools" = "1"
      "DisableCMD" = "2"

      in the registry subkey:

      HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Policies\System

   6. Modifies the value:

      "NoFolderOptions" = "1"

      in the registry subkey:

      HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Policies\Explorer\

   7. Adds a task to the Windows scheduler to execute the following file at 5:08 PM every day:

      %UserProfile%\Templates\A.kotnorB.com

   8. Reboots the computer when it detects a window whose title contains one of the following strings:

          * ..
          * .@
          * @.
          * .ASP
          * .EXE
          * .HTM
          * .JS
          * .PHP
          * ADMIN
          * ADOBE
          * AHNLAB
          * ALADDIN
          * ALERT
          * ALWIL
          * ANTIGEN
          * APACHE
          * APPLICATION
          * ARCHIEVE
          * ASDF
          * ASSOCIATE
          * AVAST
          * AVG
          * AVIRA
          * BILLING@
          * BLACK
          * BLAH
          * BLEEP
          * BUILDER
          * CANON
          * CENTER
          * CILLIN
          * CISCO
          * CMD.
          * CNET
          * COMMAND
          * COMMAND PROMPT
          * CONTOH
          * CONTROL
          * CRACK
          * DARK
          * DATA
          * DATABASE
          * DEMO
          * DETIK
          * DEVELOP
          * DOMAIN
          * DOWNLOAD
          * ESAFE
          * ESAVE
          * ESCAN
          * EXAMPLE
          * FEEDBACK
          * FIREWALL
          * FOO@
          * FUCK
          * FUJITSU
          * GATEWAY
          * GOOGLE
          * GRISOFT
          * GROUP
          * HACK
          * HAURI
          * HIDDEN
          * HP.
          * IBM.
          * INFO@
          * INTEL.
          * KOMPUTER
          * LINUX
          * LOG OFF WINDOWS
          * LOTUS
          * MACRO
          * MALWARE
          * MASTER
          * MCAFEE
          * MICRO
          * MICROSOFT
          * MOZILLA
          * MYSQL
          * NETSCAPE
          * NETWORK
          * NEWS
          * NOD32
          * NOKIA
          * NORMAN
          * NORTON
          * NOVELL
          * NVIDIA
          * OPERA
          * OVERTURE
          * PANDA
          * PATCH
          * POSTGRE
          * PROGRAM
          * PROLAND
          * PROMPT
          * PROTECT
          * PROXY
          * RECIPIENT
          * REGISTRY
          * RELAY
          * RESPONSE
          * ROBOT
          * SCAN
          * SCRIPT HOST
          * SEARCH R
          * SECURE
          * SECURITY
          * SEKUR
          * SENIOR
          * SERVER
          * SERVICE
          * SHUT DOWN
          * SIEMENS
          * SMTP
          * SOFT
          * SOME
          * SOPHOS
          * SOURCE
          * SPAM
          * SPERSKY
          * SUN.
          * SUPPORT
          * SYBARI
          * SYMANTEC
          * SYSTEM CONFIGURATION
          * TEST
          * TREND
          * TRUST
          * UPDATE
          * UTILITY
          * VAKSIN
          * VIRUS
          * W3.
          * WINDOWS SECURITY.VBS
          * WWW
          * XEROX
          * XXX
          * YOUR
          * ZDNET
          * ZEND
          * ZOMBIE

   9. May also launch a ping flood attack on the following sites:

          * israel.gov.il
          * playboy.com

  10. Gathers email addresses from files with the following extensions on all local drives from C to Y:

          * .asp
          * .cfm
          * .csv
          * .doc
          * .eml
          * .html
          * .php
          * .txt
          * .wab

  11. Avoids sending itself to email addresses that contain any of the following strings in the domain name:

          * PLASA
          * TELKOM
          * INDO
          * .CO.ID
          * .GO.ID
          * .MIL.ID
          * .SCH.ID
          * .NET.ID
          * .OR.ID
          * .AC.ID
          * .WEB.ID
          * .WAR.NET.ID
          * ASTAGA
          * GAUL
          * BOLEH
          * EMAILKU
          * SATU

  12. May append the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers:

          * smtp.
          * mail.
          * ns1.

  13. Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:

      From: [SPOOFED]

      Subject: [BLANK]

      Message:
      BRONTOK.A  [ By: H[REMOVED]Community ]
      -- Hentikan kebobrokan di negeri ini --
      1. Adili Koruptor, Penyelundup, Tukang Suap, Penjudi, & Bandar NARKOBA
      ( Send to "NUSAKAMBANGAN")
      2. Stop Free Sex, Absorsi, & Prostitusi
      3. Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar.
      4. SAY NO TO DRUGS !!!
      -- KIAMAT SUDAH DEKAT --
      Terinspirasi oleh: Elang Brontok (Spizaetus Cirrhatus) yang hampir punah[ By: H[REMOVED]unity --

      Attachment:

      Kangen.exe

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/w32.rontokbro@mm.html


To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
   3. Click OK.
   4. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   5. In the right pane, delete the value:

      "Bron-Spizaetus" = "C:\WINDOWS\PIF\CVT.exe"

   6. Exit the Registry Editor.
Logged
Pages: [1] Go Up Print 
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: W32.Rontokbro@mm « previous next »
Jump to:  

Powered by MySQL Powered by PHP AlphaOne Technology Support Forums | Powered by SMF 1.0.7.
© 2001-2005, Lewis Media. All Rights Reserved. 		Valid XHTML 1.0! Valid CSS!