Saturday, April 28, 2007

W32.Rontokbro@mm (Risk Level 2: Low)



*sniff sniff* I don't remember clicking on any emails with blank title >.<" All the while, whenever I receive emails with weird Chinese characters, unknown sender or blank title I won't even bother clicking on them but just move them into the trash and empty it.

I've formatted my C drive 2 times but it doesn't seem to work. It infected most of my files in D and E drives where my precious mp3 and photos are stored *sob sob* Now, my main problem is... I don't have even have an anti-virus ! LoL, don't laugh! I hate using anti-virus cause it really slows my system down >.<"

Anyone else have idea to clean the worms without formatting my other drives? I'm still downloading the stupid Symantec trialware, hope it works.

Discovered: September 23, 2005
Updated: February 13, 2007 12:44:41 PM
Type: Worm
Infection Length: 102,400 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When W32.Rontokbro@mm is executed, it performs the following actions:

Copies itself as the following files:

C:\Windows\PIF\CVT.exe
%UserProfile%\APPDATA\IDTemplate.exe
%UserProfile%\APPDATA\services.exe
%UserProfile%\APPDATA\lsass.exe
%UserProfile%\APPDATA\inetinfo.exe
%UserProfile%\APPDATA\csrss.exe
%UserProfile%\APPDATA\winlogon.exe
%UserProfile%\Programs\Startup\Empty.pif
%UserProfile%\Templates\A.kotnorB.com
%System%\3D Animation.scr

Note:
%System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

Creates the folder:

%UserProfile%\Local Settings\Application Data\Bron.tok-24

Overwrites C:\Autoexec.bat with the following text:

"pause"

Adds the value:

"Tok-Cirrhatus" = "%UserProfile%\APPDATA\IDTemplate.exe"

to the registry subkey:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.

Adds the value:

"Bron-Spizaetus" = "C:\WINDOWS\PIF\CVT.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.

Modifies the value:

"DisableRegistryTools" = "1"
"DisableCMD" = "2"

in the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\System

Modifies the value:

"NoFolderOptions" = "1"

in the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer\

Adds a task to the Windows scheduler to execute the following file at 5:08 PM every day:

%UserProfile%\Templates\A.kotnorB.com

Reboots the computer when it detects a window whose title contains one of the following strings:
..
.@
@.
.ASP
.EXE
.HTM
.JS
.PHP
ADMIN
ADOBE
AHNLAB
ALADDIN
ALERT
ALWIL
ANTIGEN
APACHE
APPLICATION
ARCHIEVE
ASDF
ASSOCIATE
AVAST
AVG
AVIRA
BILLING@
BLACK
BLAH
BLEEP
BUILDER
CANON
CENTER
CILLIN
CISCO
CMD.
CNET
COMMAND
COMMAND PROMPT
CONTOH
CONTROL
CRACK
DARK
DATA
DATABASE
DEMO
DETIK
DEVELOP
DOMAIN
DOWNLOAD
ESAFE
ESAVE
ESCAN
EXAMPLE
FEEDBACK
FIREWALL
FOO@
FUCK
FUJITSU
GATEWAY
GOOGLE
GRISOFT
GROUP
HACK
HAURI
HIDDEN
HP.
IBM.
INFO@
INTEL.
KOMPUTER
LINUX
LOG OFF WINDOWS
LOTUS
MACRO
MALWARE
MASTER
MCAFEE
MICRO
MICROSOFT
MOZILLA
MYSQL
NETSCAPE
NETWORK
NEWS
NOD32
NOKIA
NORMAN
NORTON
NOVELL
NVIDIA
OPERA
OVERTURE
PANDA
PATCH
POSTGRE
PROGRAM
PROLAND
PROMPT
PROTECT
PROXY
RECIPIENT
REGISTRY
RELAY
RESPONSE
ROBOT
SCAN
SCRIPT HOST
SEARCH R
SECURE
SECURITY
SEKUR
SENIOR
SERVER
SERVICE
SHUT DOWN
SIEMENS
SMTP
SOFT
SOME
SOPHOS
SOURCE
SPAM
SPERSKY
SUN.
SUPPORT
SYBARI
SYMANTEC
SYSTEM CONFIGURATION
TEST
TREND
TRUST
UPDATE
UTILITY
VAKSIN
VIRUS
W3.
WINDOWS SECURITY.VBS
WWW
XEROX
XXX
YOUR
ZDNET
ZEND
ZOMBIE

May also launch a ping flood attack on the following sites:

israel.gov.il
playboy.com

Gathers email addresses from files with the following extensions on all local drives from C to Y:

.asp
.cfm
.csv
.doc
.eml
.html
.php
.txt
.wab

Avoids sending itself to email addresses that contain any of the following strings in the domain name:

PLASA
TELKOM
INDO
.CO.ID
.GO.ID
.MIL.ID
.SCH.ID
.NET.ID
.OR.ID
.AC.ID
.WEB.ID
.WAR.NET.ID
ASTAGA
GAUL
BOLEH
EMAILKU
SATU

May append the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers:

smtp.
mail.
ns1.

Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:

From: [SPOOFED]

Subject: [BLANK]

Message:
BRONTOK.A [ By: H[REMOVED]Community ]
-- Hentikan kebobrokan di negeri ini --
1. Adili Koruptor, Penyelundup, Tukang Suap, Penjudi, & Bandar NARKOBA
( Send to "NUSAKAMBANGAN")
2. Stop Free Sex, Absorsi, & Prostitusi
3. Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar.
4. SAY NO TO DRUGS !!!
-- KIAMAT SUDAH DEKAT --
Terinspirasi oleh: Elang Brontok (Spizaetus Cirrhatus) yang hampir punah[ By: H[REMOVED]unity --

Attachment: Kangen.exe

(Source: Symantec)

7 comments:

  1. hi cristina
    how are you?
    can I exchange link with you?

    ReplyDelete
  2. lagi kena trojan. I seriously recomend u to back up everything in a external hard disk. den format ur whole computer ( including all partitions ) den reinstall OS again. Den install AVG and Security Task Manager. If you want your files den plug in the external hard disk for scanning. It is nearly full proof.

    ReplyDelete
  3. pisang goreng: hihi, u got a cute name =D sure, i'll add u up thankz ^^ & nice meetin u.

    dragon head: hehe, i spent whole nite 2 scan 2 clean everythin' after i reformated & reinstall all my drivers & softwares... now it seems to work fine =D thankz 4 ur advise again

    ReplyDelete
  4. erm, i've successfully removed da worms using norton anti-virus '07. These worms are discovered by em at 1st & they're da most suitable product which can remove 'em totally...

    Daniel: I used 2 have AVG but i found that it can't really detect certain viruses ^^v but since it's free, so i might use it after 15 days of trial... thankz

    ReplyDelete
  5. thank you thank you...
    and i will add into MSN too

    ReplyDelete
  6. hehe, aite. remember 2 tell me who u r when u added me. thankz *winks*

    ReplyDelete

Dear readers,

Thanks for all your lovely comments and continual visits.
Hope I'll see you again soon! (✿◠‿◠)

xoxo,
Christina

Related Posts Plugin for WordPress, Blogger...